note skx <p>I downloaded and ran your code, and traversals with ".." definitely work:</p> <code> skx@gold:~$ telnet 127.0.0.1 4321 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. GET /../../../../../../etc/passwd HTTP/1.0 root:x:0:0:root:/root:/bin/bash .. </code> <p>I notice too that you never return a content-type in your response which is surprising to say the least! (I was surprised that firefox displayed the resulting pages correctly.)</p> <!-- Node text goes above. Div tags should contain sig only --> <div class="pmsig"><div class="pmsig-194370"> <a href="http://www.steve.org.uk/">Steve</a><br/> -- <br/> </div></div> 771634 771751