diff --git a/lib/server.js b/lib/server.js
index 6058ca1..ac6878e 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -522,16 +522,34 @@ exports.Server = function Server(bsClient, workers, config, callback) {
       response.end();
     },
     '_patch': function patchHandler(uri, body, request, response) {
-      var filePath = path.join(__dirname, uri);
-      logger.trace('_patch', filePath);
-
-      handleFile(filePath, request, response, true);
+      var root = __dirname;
+      try {
+        var absPath = path.resolve(root, '.' + uri);
+        var filePath = fs.realpathSync(absPath);
+        if (!filePath.startsWith(root)) {
+          sendError(response, 'Forbidden', 403);
+          return;
+        }
+        logger.trace('_patch', filePath);
+        handleFile(filePath, request, response, true);
+      } catch (err) {
+        sendError(response, 'Invalid path', 400);
+      }
     },
     '_default': function defaultHandler(uri, body, request, response) {
-      var filePath = path.join(process.cwd(), uri);
-      logger.trace('_default', filePath);
-
-      handleFile(filePath, request, response);
+      var root = process.cwd();
+      try {
+        var absPath = path.resolve(root, '.' + uri);
+        var filePath = fs.realpathSync(absPath);
+        if (!filePath.startsWith(root)) {
+          sendError(response, 'Forbidden', 403);
+          return;
+        }
+        logger.trace('_default', filePath);
+        handleFile(filePath, request, response);
+      } catch (err) {
+        sendError(response, 'Invalid path', 400);
+      }
     }
   };