> In message <1666126880.20160708143147@inbox.ru>,

> I am still concerned if something in the url could be slipped
> past. High bit encoded characters that get stripped during the path
> conversion so the path ends up with .. even though it's not encoded
> that way in the name. Maybe some conversion function will change the
> path string before it gets passed to an open function or something.

> I may just be paranoid, but I remember path traversal bugs related to
> encoding issues.

> Anybody else want to chime in here?

I  think  that  all  decoding  is  done  in the upper level and we are
working   with   character   string  representing  a path part.  If the
bad things (double  period)  is  slipped past in some encoded form it will not make
sense  because a system calls do not care about encoding. I think that
fopen("%2F%2E%2E%2F%2F%2E%2E%2Fpasswd") will fail anyway.
These are more likely my feelings than results of analyzing.