Lothar Kimmeringer

Why do you see that as a problem? Theis method's purpose is to send an absolute path. So it's checked if the given path is absolute and if not, the working directory is added in front. That's exactly what's happening with your example, so the path being sent to the server is e.g. /home/myuser/../../../etc/password. There are completely valid reasons why you want to send a path like this to a server, it's the server's obligation to restrict access to /etc/password no matter how the path is received...