Index: flatpak-1.4.2/common/flatpak-oci-registry.c
===================================================================
--- flatpak-1.4.2.orig/common/flatpak-oci-registry.c
+++ flatpak-1.4.2/common/flatpak-oci-registry.c
@@ -227,6 +227,9 @@ flatpak_oci_registry_new (const char   *
   return oci_registry;
 }
 
+/* Carefully opens a file from a base directory and subpath,
+ * making sure that its not a symlink, pipe, etc.
+ */
 static int
 local_open_file (int           dfd,
                  const char   *subpath,
@@ -238,7 +241,7 @@ local_open_file (int           dfd,
   struct stat tmp_st_buf;
 
   do
-    fd = openat (dfd, subpath, O_RDONLY | O_NONBLOCK | O_CLOEXEC | O_NOCTTY);
+    fd = openat (dfd, subpath, O_NOFOLLOW | O_RDONLY | O_NONBLOCK | O_CLOEXEC | O_NOCTTY);
   while (G_UNLIKELY (fd == -1 && errno == EINTR));
   if (fd == -1)
     {