Re: Considering general/PR7357: URLs containing invalid paths in combination with .. are served

[Roy T. Fielding]

If, at any time while processing the request, the URL is rewritten such
that a bogus identifier is replaced with an identifier for a valid resource,
then that request should result in a 301 response.  The only exceptions
are internal subrequests for SSI and places where there is a known
browser bug that can't handle the 301.

This isn't in the RFCs -- it is part of the model for how resources
work on the Web (a.k.a. my dissertation).

....Roy