diff --git a/src/sbbs3/websrvr.c b/src/sbbs3/websrvr.c
index 3979c240983a7168b6a701ca69d0b3890485fc15..f19cfe814608f9b75691ad9bd8fe7e3ca660d0fd 100644
--- a/src/sbbs3/websrvr.c
+++ b/src/sbbs3/websrvr.c
@@ -3148,6 +3148,15 @@ static BOOL is_legal_host(const char *host, BOOL strip_port)
 	return TRUE;
 }
 
+static BOOL is_legal_path(const char* path)
+{
+#ifdef _WIN32	// Fix for Issue 269 (NTFS Alternate Data Stream vulnerability) and other potential unexpected pathname issues on Windows
+	if (strchr(path, ':') != NULL)
+		return FALSE;
+#endif
+	return TRUE;
+}
+
 static BOOL get_req(http_session_t * session, char *request_line)
 {
 	char	req_line[MAX_REQUEST_LINE+1];
@@ -3198,6 +3207,10 @@ static BOOL get_req(http_session_t * session, char *request_line)
 				send_error(session,__LINE__,"400 Bad Request");
 				return FALSE;
 			}
+			if (!is_legal_path(session->req.physical_path)) {
+				send_error(session,__LINE__,"400 Bad Request");
+				return FALSE;
+			}
 			if(!get_fullpath(session)) {
 				send_error(session,__LINE__,error_500);
 				return(FALSE);