Index: /trunk/src/VBox/HostServices/SharedFolders/vbsf.cpp
===================================================================
--- /trunk/src/VBox/HostServices/SharedFolders/vbsf.cpp	(revision 39628)
+++ /trunk/src/VBox/HostServices/SharedFolders/vbsf.cpp	(revision 39629)
@@ -182,11 +182,16 @@
 }
 
+/**
+ * Do a simple path check given by pUtf8Path. Verify that the path is within
+ * the root directory of the mapping. Count '..' and other path components
+ * and check that we do not go over the root.
+ *
+ * @remarks This function assumes that the path will be appended to the root
+ * directory of the shared folder mapping. Keep that in mind when checking
+ * absolute pathes!
+ */
 static int vbsfPathCheck(const char *pUtf8Path, size_t cbPath)
 {
     int rc = VINF_SUCCESS;
-
-    /* The pUtf8Path is what the guest sent. Verify that the path is within the root.
-     * Count '..' and other path components and check that we do not go over the root.
-     */
 
     size_t i = 0;
@@ -265,5 +270,4 @@
         /* Verify that the path is under the root directory. */
         rc = vbsfPathCheck((const char *)&pPath->String.utf8[0], pPath->u16Length);
-
         if (RT_SUCCESS(rc))
         {
@@ -485,5 +489,5 @@
                         rc = RTPathQueryInfoEx(pszFullPath, &info, RTFSOBJATTRADD_NOTHING, RTPATH_F_ON_LINK);
                         *pszSrc = RTPATH_DELIMITER;
-                        if (rc == VINF_SUCCESS)
+                        if (RT_SUCCESS(rc))
                         {
 #ifdef DEBUG
@@ -1222,5 +1226,4 @@
 
     rc = vbsfBuildFullPath(pClient, root, pPath, cbPath, &pszFullPath, &cbFullPathRoot);
-
     if (RT_SUCCESS(rc))
     {
@@ -2279,5 +2282,5 @@
 
     char *pszFullNewPath = NULL;
-    char *pszOldPath = NULL;
+    const char *pszOldPath = (const char *)pOldPath->String.utf8;
 
     /* XXX: no support for UCS2 at the moment. */
@@ -2285,7 +2288,14 @@
         return VERR_NOT_IMPLEMENTED;
 
+    /* don't allow absolute targets */
+    if (RTPathStartsWithRoot(pszOldPath))
+        return VERR_INVALID_NAME;
+    
+    /* Force relative pathes to be inside the shared folder. Don't allow the target to go up */
+    rc = vbsfPathCheck(pszOldPath, pOldPath->u16Length);
+    AssertRCReturn(rc, rc);
+
     rc = vbsfBuildFullPath(pClient, root, pNewPath, pNewPath->u16Size, &pszFullNewPath, NULL);
-    if (rc != VINF_SUCCESS)
-        return rc;
+    AssertRCReturn(rc, rc);
 
     rc = RTSymlinkCreate(pszFullNewPath, (const char *)pOldPath->String.utf8,