comelz Quark before 2019-03-26 allows directory traversal to locations outside of the project directory.