Your patch will simply let the %2F through, but then a later section of code will translate them to / and we've opened a security hole in the main server. I'd rather move the rejection code to the place where a decision has to be made (like the directory walk), but I have no time to do it myself. I think it is reasonable to allow %2F under some circumstances, but only in content handlers and only as part of path-info and not within the real directory structure.
....Roy