Again a URL canonicalization bug. This shows two things (again):

• It is very, very hard to get resource names and encodings right – even in big projects with a lot of testers.
• Never store sensitive data under the application vroot (the further away the better).

Description and patch here.