diff --git a/rc/bin/rc-httpd/handlers/dir-index b/rc/bin/rc-httpd/handlers/dir-index
index 5f1897cd5..6e3964a00 100755
--- a/rc/bin/rc-httpd/handlers/dir-index
+++ b/rc/bin/rc-httpd/handlers/dir-index
@@ -2,6 +2,10 @@
 PATH_INFO=`{echo $PATH_INFO | urlencode -d}
 full_path=$"FS_ROOT^$"PATH_INFO
 full_path=$"full_path
+if(! ~ `{cleanname -d$FS_ROOT $full_path} `{cleanname $FS_ROOT}^*){
+       error 503
+       exit
+}
 if(! test -d $full_path){
 	error 404
 	exit
@@ -14,8 +18,7 @@ builtin cd $full_path
 if(~ $"NOINDEXFILE ^ $"NOINDEX ''){
 	ifile=index.htm*
 	if(! ~ $ifile(1) *'*'){
-		PATH_INFO=$ifile(1)
-		FS_ROOT=''
+		PATH_INFO=$PATH_INFO^$ifile(1)
 		exec serve-static
 	}
 }
diff --git a/rc/bin/rc-httpd/handlers/serve-static b/rc/bin/rc-httpd/handlers/serve-static
index 119665ee3..a8fd0959b 100755
--- a/rc/bin/rc-httpd/handlers/serve-static
+++ b/rc/bin/rc-httpd/handlers/serve-static
@@ -1,6 +1,10 @@
 #!/bin/rc
 full_path=`{echo $"FS_ROOT^$"PATH_INFO | urlencode -d}
 full_path=$"full_path
+if(! ~ `{cleanname -d$FS_ROOT $full_path} `{cleanname $FS_ROOT}^*){
+       error 503
+       exit
+}
 if(~ $full_path */)
 	error 503
 if(test -d $full_path){