diff --git a/handlers.go b/handlers.go
index ad7c2baa0..7877068f0 100644
--- a/handlers.go
+++ b/handlers.go
@@ -17,6 +17,7 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"strings"
 	"time"
 
 	"github.com/gorilla/mux"
@@ -552,6 +553,13 @@ func (a *autographer) handleGetX5u(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// The handler regex should reject such paths, but let's be extra certain that we have been given
+	// a path without any attempt to escape the X5U upload directory.
+	if strings.Contains(pathChainFile, "/") || strings.Contains(pathChainFile, "\\") || strings.Contains(pathChainFile, "..") {
+		httpError(w, r, http.StatusBadRequest, "Invalid X5U file name '%s'", pathChainFile)
+		return
+	}
+
 	// Lookup the signer, and see if it has a local X5U chain upload location.
 	// Treat all errors as a 404 to avoid leaking unnecessary signer details as this
 	// endpoint has no authentication.