CVE-2025-55202: Opencast has a partial path traversal vulnerability in UI config

The protections against path traversal attacks in the UI config module are insufficient, still partially allowing for attacks in very specific cases.

The path is checked without checking for the file separator. This could allow attackers access to files within another folder which starts with the same path. For example, the default UI config directory is placed at /etc/opencast/ui-config. Without this patch, an attacker can get access to files in a folder /etc/opencast/ui-config-hidden if those files are readable by Opencast.

General path traversal is not possible. For example, an attacker cannot exploit this to access files in /etc/opencast/encoding or even in /etc/opencast/ directly.