Move sanitization of URL.Path to Server

No need to have this in every plugin. And, even in flat filesystems
filenames with dots and slashes are best avoided.

server/server.go

@@ -14,6 +14,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"path/filepath"
 	"runtime"
 	"strings"
 	"sync"
@@ -332,6 +333,16 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	// Use URL.RawPath If you need the original, "raw" URL.Path in your middleware.
+	// Collapse any ./ ../ /// madness here instead of doing that in every plugin.
+	if r.URL.Path != "/" {
+		path := filepath.Clean(r.URL.Path)
+		if !strings.HasPrefix(path, "/") {
+			path = "/" + path
+		}
+		r.URL.Path = path
+	}
+
 	// Execute the optional request callback if it exists and it's not disabled
 	if s.ReqCallback != nil && !s.vhosts[host].config.TLS.Manual && s.ReqCallback(w, r) {
 		return