Don’t allow going outside PAGES_DIRECTORY

[alexshpilkin]

The server as it stands now will happily display things like /../, /../../, or ../../../../../../../../../../etc/passwd. (Note that most modern browsers and even curl will refuse to make such requests, but, say, HTTPie won’t, and there’s always telnet.) Such requests should be treated as if PAGES_DIRECTORY is the filesystem root.

[klange]

Not sure how that was missed in 8 years. I haven't read the HTTP specs in a while, but I think clients are expected to normalize paths, so hopefully checking for .. as a path element and throwing Bad request should be an appropriate solution.