diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index af8971e8..54bb6c35 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -210,11 +210,14 @@ class HttpCli(object):
         self.uparam = uparam
         self.cookies = cookies
         self.vpath = unquotep(vpath)  # not query, so + means +
+
+        ok = "\x00" not in self.vpath
         if ANYWIN:
-            mod = relchk(self.vpath)
-            if mod:
-                self.log("invalid relpath [{}]".format(self.vpath))
-                return self.tx_404() and self.keepalive
+            ok = ok and not relchk(self.vpath)
+
+        if not ok:
+            self.log("invalid relpath [{}]".format(self.vpath))
+            return self.tx_404() and self.keepalive
 
         pwd = None
         ba = self.headers.get("authorization")
diff --git a/copyparty/util.py b/copyparty/util.py
index 3dcdfe85..6ba788a4 100644
--- a/copyparty/util.py
+++ b/copyparty/util.py
@@ -942,9 +942,12 @@ def sanitize_fn(fn, ok, bad):
 
 def relchk(rp):
     if ANYWIN:
+        if "\n" in rp or "\r" in rp:
+            return "x\nx"
+
         p = re.sub(r'[\\:*?"<>|]', "", rp)
         if p != rp:
-            return p
+            return "[{}]".format(p)
 
 
 def absreal(fpath):