At the worse, this can be a vector for exploits, since a static file
server might do path.join(docroot, path.normalize("/"+req)) to get the
file. If the normalized request path could be something like
"/../../../etc/passwd" then bad things could happen.
http://github.com/isaacs/node/commit/3a3f8de6170351ff83ec6c46d456a6476193ac0e
--i
Thank you. Committed in 65037ee.