From 9410a4f7ef64f8c94a0ddf5479b6cca5468e982a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 9 Mar 2026 10:20:42 +0000
Subject: [PATCH 1/2] Initial plan


From 30c50794ceaa24f067c698b5ca31ce65b3bed4cc Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 9 Mar 2026 10:24:27 +0000
Subject: [PATCH 2/2] fix(security): add File.separator to path traversal check
 in FileResponse.java (nwu and nwu2)

Co-authored-by: nmaguiar <11761746+nmaguiar@users.noreply.github.com>
---
 src/com/nwu/httpd/responses/FileResponse.java  | 13 +++++++------
 src/com/nwu2/httpd/responses/FileResponse.java | 13 +++++++------
 2 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/src/com/nwu/httpd/responses/FileResponse.java b/src/com/nwu/httpd/responses/FileResponse.java
index 265702db4..58385a905 100644
--- a/src/com/nwu/httpd/responses/FileResponse.java
+++ b/src/com/nwu/httpd/responses/FileResponse.java
@@ -104,12 +104,13 @@ public com.nwu.httpd.responses.Response serveFile(String uri,
 					"FORBIDDEN: Invalid path.");
 		}
 
-		// Prohibit getting out of current directory
-		if (relativeUri.startsWith("..") || relativeUri.endsWith("..")
-				|| relativeUri.indexOf("../") >= 0)
-			return new com.nwu.httpd.responses.SimpleResponse(httpd,
-					Codes.HTTP_FORBIDDEN, Codes.MIME_PLAINTEXT,
-					"FORBIDDEN: Won't serve ../ for security reasons.");
+		// Prohibit getting out of current directory
+		if (relativeUri.startsWith("..") || relativeUri.endsWith("..")
+				|| relativeUri.indexOf("../") >= 0
+				|| relativeUri.indexOf(".." + File.separator) >= 0)
+			return new com.nwu.httpd.responses.SimpleResponse(httpd,
+					Codes.HTTP_FORBIDDEN, Codes.MIME_PLAINTEXT,
+					"FORBIDDEN: Won't serve .. paths for security reasons.");
 
 		File f;
 		File baseDir;
diff --git a/src/com/nwu2/httpd/responses/FileResponse.java b/src/com/nwu2/httpd/responses/FileResponse.java
index a04dff34c..b14bf59f1 100644
--- a/src/com/nwu2/httpd/responses/FileResponse.java
+++ b/src/com/nwu2/httpd/responses/FileResponse.java
@@ -104,12 +104,13 @@ public com.nwu2.httpd.responses.Response serveFile(String uri,
 					"FORBIDDEN: Invalid path.");
 		}
 
-		// Prohibit getting out of current directory
-		if (relativeUri.startsWith("..") || relativeUri.endsWith("..")
-				|| relativeUri.indexOf("../") >= 0)
-			return new com.nwu2.httpd.responses.SimpleResponse(httpd,
-					Codes.HTTP_FORBIDDEN, Codes.MIME_PLAINTEXT,
-					"FORBIDDEN: Won't serve ../ for security reasons.");
+		// Prohibit getting out of current directory
+		if (relativeUri.startsWith("..") || relativeUri.endsWith("..")
+				|| relativeUri.indexOf("../") >= 0
+				|| relativeUri.indexOf(".." + File.separator) >= 0)
+			return new com.nwu2.httpd.responses.SimpleResponse(httpd,
+					Codes.HTTP_FORBIDDEN, Codes.MIME_PLAINTEXT,
+					"FORBIDDEN: Won't serve .. paths for security reasons.");
 
 		File f;
 		File baseDir;