XSLs are returned in plaintext if trailing dot is appended to the URL (Windows only)
If requesting an xsl file, anyone can get a unprocessed version of that file, possibly exposing internal information to the user, by appending a dot to the requested filename:
http://localhost:8000/status.xsl.
Only Windows is affected. This is due to the way the Windows API handles filenames, as it strips the trailing dot and will assume status.xsl instead of the version with the trailing dot.
Unix and Linux builds were never affected.
(See CVE-2005-0837 and #635 (closed))