The debian and rpm handlers take the request path and pass it directly
to the upstream URL without checking for ".." segments. This could let
a client craft a request that reaches unintended upstream paths.
Add a containsPathTraversal check at the entry point of both handlers
and return 400 for any path containing ".." segments.
