diff -r 177f3b90335f -r 7de7bd407251 mercurial/hgweb/server.py
--- a/mercurial/hgweb/server.py	Thu Mar 15 22:35:07 2018 -0700
+++ b/mercurial/hgweb/server.py	Sun Apr 01 01:27:18 2018 -0400
@@ -118,6 +118,14 @@
         self.sent_headers = False
         path, query = _splitURI(self.path)
 
+        # Ensure the slicing of path below is valid
+        if (path != self.server.prefix
+            and not path.startswith(self.server.prefix + b'/')):
+            self._start_response(common.statusmessage(404), [])
+            self._write("Not Found")
+            self._done()
+            return
+
         env = {}
         env[r'GATEWAY_INTERFACE'] = r'CGI/1.1'
         env[r'REQUEST_METHOD'] = self.command