Block symlink dir traversal for /static

This is in line with how it behaved before, but it was lifted a little for the project mount for Hugo Modules,
but that could create hard-to-detect loops.

hugofs/decorators.go

@@ -90,19 +90,14 @@ func NewBaseFileDecorator(fs afero.Fs) afero.Fs {
 		isSymlink := isSymlink(fi)
 		if isSymlink {
 			meta[metaKeyOriginalFilename] = filename
-			link, err := filepath.EvalSymlinks(filename)
+			var link string
+			var err error
+			link, fi, err = evalSymlinks(fs, filename)
 			if err != nil {
 				return nil, err
 			}
-
-			fi, err = fs.Stat(link)
-			if err != nil {
-				return nil, err
-			}
-
 			filename = link
 			meta[metaKeyIsSymlink] = true
-
 		}
 
 		opener := func() (afero.File, error) {
@@ -117,6 +112,20 @@ func NewBaseFileDecorator(fs afero.Fs) afero.Fs {
 	return ffs
 }
 
+func evalSymlinks(fs afero.Fs, filename string) (string, os.FileInfo, error) {
+	link, err := filepath.EvalSymlinks(filename)
+	if err != nil {
+		return "", nil, err
+	}
+
+	fi, err := fs.Stat(link)
+	if err != nil {
+		return "", nil, err
+	}
+
+	return link, fi, nil
+}
+
 type baseFileDecoratorFs struct {
 	afero.Fs
 	decorate func(fi os.FileInfo, filename string) (os.FileInfo, error)