diff -r 6f47eb624665 -r 5c752979bfd6 src/server/daemon/httprequest.c
--- a/src/server/daemon/httprequest.c	Sat Jan 28 10:53:46 2017 +0100
+++ b/src/server/daemon/httprequest.c	Mon Jan 30 20:54:20 2017 +0100
@@ -234,11 +234,22 @@
     }
     
     // Get abs_path part of request URI, and canonicalize the path
+    sstr_t orig_path = absPath;
     absPath.ptr = util_canonicalize_uri(
             pool,
             absPath.ptr,
             absPath.length,
             (int*)&absPath.length);
+    if(!absPath.ptr) {
+        log_ereport(
+                LOG_WARN,
+                "invalid request path: {%.*s}",
+                (int)orig_path.length,
+                orig_path.ptr);
+        pool_destroy(pool);
+        // TODO: 400 bad request
+        return 1;
+    }
 
     // Decode the abs_path
     if(util_uri_unescape_strict(absPath.ptr)) {
@@ -250,7 +261,12 @@
                 rq->rq.reqpb);
     } else {
         // TODO: log error
-        log_ereport(LOG_WARN, "uri unescape failed");
+        log_ereport(
+                LOG_WARN,
+                "uri unescape failed: {%.*s}",
+                (int)absPath.length,
+                absPath.ptr);
+        // TODO: 400 bad request
         pblock_kvinsert(pb_key_uri, "/", 1, rq->rq.reqpb);
     }