> In my mind only one issue remains - when we say "we will serve files from directory X", how
> to we prevent mhttpd from serving files outside this directory by using trick URLs containing ".."
> and/or other gimmicks.
> So at the least we must enable serving of multi-level URL path names to serve 3rd party packages.
> The most trivial way out is to replace the URL check "/ is not permitted" with ".. is not permitted".
This change is "in". commit https://bitbucket.org/tmidas/midas/commits/b231d10b5816c14428a69ee97b16f6fee7819367
mhttpd should be able to serve "jsroot" and other 3rd packages now.