Plugin servlet should not provide access to all files on the host
As reported by Shvetsov Alexander (Positive Technologies):
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with "dot-dot-slash (../)" sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).
An attacker can inject a path to local files after "plugin/<some symbols>/" in this URL. This vulnerability can be exploited only on windows platform (because it is necessary to use "\" symbol as file system path separator).
Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.
It's probably a good tradeoff between security and flexibility to limit access to anything under Openfire, rather than anything limited to the plugin directory.
I'm thinking that some will consider being able to access files outside of the context of the plugin/Openfire a feature, rather than a bug. We should allow for this behavior to be accepted, using a property that by default prevents access.