Another problem with the whole block is the following: g) All the pass through stuff happens before any authentication. Even if there was no way to hack into accessing other files... but just the intended ones like .../images/davical.png or whatever... that could be a problem. Imagine that users add their own customisations like company logos, or people's faces or any other stuff that mustn't be exposed to the world for e.g. privacy reasons.
Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
