Path traversal in the HTTP.jl static file server via separator/absolute path segments
Description
The static file server decoded the request path, split it on /, and rejected only segments exactly equal to . or ... Because URL-decoding ran before the / split, an encoded backslash (%5c), a Windows drive specifier (C:\...), or a UNC prefix (\\host\share) survived inside a single segment and passed validation. On Windows, joinpath then honored \` as a separator and treated drive/UNC segments as absolute, discarding the configured document root.
### Impact
A remote client could read files outside the served document root and, on Windows, trigger outbound SMB/NTLM authentication via UNC paths, by crafting encoded separator, drive, or UNC segments.
### Patches
Fixed in HTTP.jl v2.4.0. A new platform-independent segment validator rejects any decoded segment that is./.., contains a path separator (/or`), contains a colon (drive specifier / alternate data stream), or is absolute; unsafe segments are mapped to a 400 response. A defense-in-depth containment backstop additionally requires the normalized joined path to remain within the normalized root.
Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.