http://ayende.comAyende @ RahienCopyright (C) Ayende Rahien 2004 - 2021 (c) 202660Oh, you're right. I missed that somehow. I read something like: fullPath = Path.Combine(path, context.Request.RawUrl) Nevermind... http://ayende.com/3235/a-web-server-in-30-lines-of-code#comment5http://ayende.com/3235/a-web-server-in-30-lines-of-code#comment5Mon, 31 Mar 2008 20:20:58 GMTWell, did you note Path.GetFileName(context.Request.RawUrl) ?? That will stop those attacks http://ayende.com/3235/a-web-server-in-30-lines-of-code#comment4http://ayende.com/3235/a-web-server-in-30-lines-of-code#comment4Mon, 31 Mar 2008 16:35:27 GMTBut, what happens if you pass something like: http://localhost/prefix/../../../Windows/System32/Secret.File Sorry, couldn't resist ;-) http://ayende.com/3235/a-web-server-in-30-lines-of-code#comment3http://ayende.com/3235/a-web-server-in-30-lines-of-code#comment3Mon, 31 Mar 2008 16:31:19 GMTthe altdotnet style :) http://ayende.com/3235/a-web-server-in-30-lines-of-code#comment2http://ayende.com/3235/a-web-server-in-30-lines-of-code#comment2Sun, 30 Mar 2008 20:31:19 GMTWow, let's benchmark! Instead of switching to IIS7 we should use this :) http://ayende.com/3235/a-web-server-in-30-lines-of-code#comment1http://ayende.com/3235/a-web-server-in-30-lines-of-code#comment1Sun, 30 Mar 2008 20:17:15 GMT