Don't allow the static servlet to serve paths with "\" in them

On Windows that might be a path separator character.  We don't
serve subdirectories from the $site_path/static directory.

Signed-off-by: Shawn O. Pearce <sop@google.com>

appjar/src/main/java/com/google/gerrit/server/StaticServlet.java

@@ -108,12 +108,25 @@ public class StaticServlet extends HttpServlet {
 
   private File local(final HttpServletRequest req) {
     final String name = req.getPathInfo();
-    if (name.startsWith("/") && name.length() > 1 && name.indexOf('/', 1) < 0) {
+    if (name.length() < 2 || !name.startsWith("/")) {
+      // Too short to be a valid file name, or doesn't start with
+      // the path info separator like we expected.
+      //
+      return null;
+    }
+
+    if (name.indexOf('/', 1) > 0 || name.indexOf('\\', 1) > 0) {
+      // Contains a path separator. Don't serve it as the client
+      // might be trying something evil like "/../../etc/passwd".
+      // This static servlet is just meant to facilitate simple
+      // assets like banner images.
+      //
+      return null;
+    }
+
     final File p = new File(staticBase, name.substring(1));
     return p.isFile() ? p : null;
   }
-    return null;
-  }
 
   @Override
   protected long getLastModified(final HttpServletRequest req) {