TUX is designed to have very strict security. This is possible because the assistant user-space daemons is used to handle the complex exceptions.
TUX only serves a file if
The URL does not contain ?.
The URL does not start with /.
The URL points to a file that exists.
The file is world-readable. [1]
The file is not a directory. [1]
The file is not executable. [1]
The file does not have the sticky-bit set. [1]
The URL does not contain any forbidden substrings such as .. [1]
Configurable through the sysctl parameters in /proc/sys/net/tux