Only in src: DIFF
diff -ur src.old/org/gjt/jsp/JspServlet.java src/org/gjt/jsp/JspServlet.java
--- src.old/org/gjt/jsp/JspServlet.java	Thu Oct  5 09:28:00 2000
+++ src/org/gjt/jsp/JspServlet.java	Wed Feb 20 16:41:16 2002
@@ -598,6 +598,12 @@
 			  String jspURI)
 	throws IOException, ServletException
     {
+	// Security check: Deny the request if the path is appended to
+	// the servlet URI -- gybas@trustsec.de
+	if (request.getRequestURI().startsWith(request.getServletPath())) {
+	    response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+	}
+
 	// Deny requests beginning with denyURI, if specified.
 	if ((denyURI != null) && (jspURI.startsWith(denyURI))) {
 	    response.sendError(HttpServletResponse.SC_UNAUTHORIZED);