diff -ur src.old/org/gjt/jsp/JspServlet.java src/org/gjt/jsp/JspServlet.java
--- src.old/org/gjt/jsp/JspServlet.java	Mon Oct 18 19:28:52 1999
+++ src/org/gjt/jsp/JspServlet.java	Wed Feb 20 16:09:27 2002
@@ -262,6 +262,12 @@
 	    */
 	}
 
+	// Security check: Deny the request if the path is appended to
+	// the servlet URI -- gybas () trustsec de
+	if (request.getRequestURI().startsWith(request.getServletPath())) {
+	    response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+	}
+
 	String jspURI  = requestToJspURI (request);
 	if ((denyURI != null) && (jspURI.startsWith(denyURI))) {
 	    response.sendError(HttpServletResponse.SC_UNAUTHORIZED);