--- a/mercurial/hgweb/server.py Thu Mar 15 22:35:07 2018 -0700
+++ b/mercurial/hgweb/server.py Sun Apr 01 01:27:18 2018 -0400
@@ -118,6 +118,14 @@
self.sent_headers = False
path, query = _splitURI(self.path)
+ # Ensure the slicing of path below is valid
+ if (path != self.server.prefix
+ and not path.startswith(self.server.prefix + b'/')):
+ self._start_response(common.statusmessage(404), [])
+ self._write("Not Found")
+ self._done()
+ return
+
env = {}
env[r'GATEWAY_INTERFACE'] = r'CGI/1.1'
env[r'REQUEST_METHOD'] = self.command