Index: library/xotcl/library/comm/Httpd.xotcl
===================================================================
diff -u -N -rc4f449cb353be812ba6502ef8e9587e87881f59b -rd074fd504cab494e949db91a069c370d4db8b44c
--- library/xotcl/library/comm/Httpd.xotcl	(.../Httpd.xotcl)	(revision c4f449cb353be812ba6502ef8e9587e87881f59b)
+++ library/xotcl/library/comm/Httpd.xotcl	(.../Httpd.xotcl)	(revision d074fd504cab494e949db91a069c370d4db8b44c)
@@ -179,6 +179,13 @@
 	#puts stderr ---[encoding convertfrom utf-8 $fileName]----
 	set fileName [encoding convertfrom utf-8 $fileName]
 	#
+	# Avoid directory traversal attacks
+	#
+	set fileName [file normalize $fileName]
+        if {![string match $root/* $fileName]} {
+          set fileName $root
+        }
+	#
 	my decode-formData $query
 	my log Query $firstLine
 	if {[my exists forceVersion1.0]} {