diff -urN roundup.cvs/roundup/cgi/client.py roundup.kt1/roundup/cgi/client.py
--- roundup.cvs/roundup/cgi/client.py	2004-05-11 17:32:05.000000000 +0400
+++ roundup.kt1/roundup/cgi/client.py	2004-05-27 19:16:17.000000000 +0400
@@ -519,7 +519,11 @@
     def serve_static_file(self, file):
         ''' Serve up the file named from the templates dir
         '''
-        filename = os.path.join(self.instance.config.TEMPLATES, file)
+        prefix = self.instance.config.STATIC_FILES
+        filename = os.path.normpath(os.path.join(prefix, file))
+        
+        if not filename[:len(prefix)] == prefix:
+            raise NotFound, file
 
         # last-modified time
         lmt = os.stat(filename)[stat.ST_MTIME]
diff -urN roundup.cvs/templates/classic/config.py roundup.kt1/templates/classic/config.py
--- roundup.cvs/templates/classic/config.py	2004-03-27 02:45:34.000000000 +0300
+++ roundup.kt1/templates/classic/config.py	2004-05-27 19:16:00.000000000 +0400
@@ -48,6 +48,10 @@
 # This is the directory that the HTML templates reside in
 TEMPLATES = os.path.join(TRACKER_HOME, 'html')
 
+# This is the directory that the static web content reside in
+# (like styles, images, and stuff)
+STATIC_FILES = os.path.join(TRACKER_HOME, 'html/static')
+
 # A descriptive name for your roundup instance
 TRACKER_NAME = 'Roundup issue tracker'
 
diff -urN roundup.cvs/templates/minimal/config.py roundup.kt1/templates/minimal/config.py
--- roundup.cvs/templates/minimal/config.py	2004-03-27 02:45:34.000000000 +0300
+++ roundup.kt1/templates/minimal/config.py	2004-05-27 19:16:00.000000000 +0400
@@ -48,6 +48,10 @@
 # This is the directory that the HTML templates reside in
 TEMPLATES = os.path.join(TRACKER_HOME, 'html')
 
+# This is the directory that the static web content reside in
+# (like styles, images, and stuff)
+STATIC_FILES = os.path.join(TRACKER_HOME, 'html/static')
+
 # A descriptive name for your roundup instance
 TRACKER_NAME = 'Roundup issue tracker'