diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/git/ReceiveCommits.java b/gerrit-server/src/main/java/com/google/gerrit/server/git/ReceiveCommits.java
index c3fb454514..cbc0c0cecd 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/git/ReceiveCommits.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/git/ReceiveCommits.java
@@ -404,6 +404,12 @@ public class ReceiveCommits implements PreReceiveHook, PostReceiveHook {
         continue;
       }
 
+      if (!Repository.isValidRefName(cmd.getRefName())
+          || cmd.getRefName().contains("//")) {
+        reject(cmd, "not valid ref");
+        continue;
+      }
+
       if (cmd.getRefName().startsWith(NEW_CHANGE)) {
         parseNewChangeCommand(cmd);
         continue;