diff --git a/boost.api.inc b/boost.api.inc
index dae0e947670b4a9da092b7f9e7b6b87f3f342ae9..09afb94f75eb07e615046f7fa52be7abd98fd2e9 100644
--- a/boost.api.inc
+++ b/boost.api.inc
@@ -177,11 +177,15 @@ function boost_file_path($path) {
     $path = 'index'; // special handling for Drupal's front page
   }
 
-  // Convert any undesirable characters in the path to underscores
-  $path = preg_replace('@[^/a-z0-9_-]@i', '_', $path);
+  // Under no circumstances should the incoming path contain '..' or null
+  // bytes; we also limit the maximum directory nesting depth of the path
+  if (strpos($path, '..') !== FALSE || strpos($path, "\0") !== FALSE ||
+      count(explode('/', $path)) > BOOST_MAX_PATH_DEPTH) {
+    return FALSE;
+  }
 
-  // Limit the maximum directory nesting depth of the path
-  $path = implode('/', array_slice(explode('/', $path), 0, BOOST_MAX_PATH_DEPTH));
+  // Convert any other undesirable characters in the path to underscores
+  $path = preg_replace('@[^/a-z0-9_-]@i', '_', $path);
 
   return boost_cache_directory() . '/' . $path . BOOST_FILE_EXTENSION;
 }