FU: Reject some invalid characters in path

FU.pm

@@ -313,10 +313,12 @@ sub _read_req($c) {
     # Decode these into Unicode strings and check for special characters.
     eval { FU::Util::utf8_decode($_); 1} || fu->error(400, $@)
         for ($REQ->{path}, $REQ->{qs}, values $REQ->{hdr}->%*);
+    fu->error(400, 'Invalid character in path') if $REQ->{path} =~ /#/; # Some bots don't correctly split off the fragment
 
     ($REQ->{path}, my $qs) = split /\?/, $REQ->{path}//'', 2;
     $REQ->{qs} //= $qs;
     eval { $REQ->{path} = FU::Util::uri_unescape($REQ->{path}); 1; } || fu->error(400, $@);
+    fu->error(400, 'Invalid character in path') if $REQ->{path} =~ /[\r\n\t]/; # There are plenty other questionable characters, but newlines and tabs are definitely out
 }
 
 

FU/Util.pm

@@ -20,7 +20,7 @@ our @EXPORT_OK = qw/
 sub utf8_decode :prototype($) {
     return if !defined $_[0];
     confess 'Invalid UTF-8' if !utf8::decode($_[0]);
-    confess 'Invalid control character' if $_[0] =~ /[\x00-\x08\x0b\x0c\x0e-\x1f]/;
+    confess 'Invalid control character' if $_[0] =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/;
     $_[0]
 }