diff --git a/jetty-alpn/jetty-alpn-server/src/main/config/modules/protonego-impl/alpn-1.8.0_77.mod b/jetty-alpn/jetty-alpn-server/src/main/config/modules/protonego-impl/alpn-1.8.0_77.mod
new file mode 100644
index 00000000000..3628757cbfd
--- /dev/null
+++ b/jetty-alpn/jetty-alpn-server/src/main/config/modules/protonego-impl/alpn-1.8.0_77.mod
@@ -0,0 +1,8 @@
+[name]
+protonego-boot
+
+[files]
+http://central.maven.org/maven2/org/mortbay/jetty/alpn/alpn-boot/8.1.7.v20160121/alpn-boot-8.1.7.v20160121.jar|lib/alpn/alpn-boot-8.1.7.v20160121.jar
+
+[exec]
+-Xbootclasspath/p:lib/alpn/alpn-boot-8.1.7.v20160121.jar
diff --git a/jetty-start/src/test/resources/dist-home/modules/protonego-impl/alpn-1.8.0_77.mod b/jetty-start/src/test/resources/dist-home/modules/protonego-impl/alpn-1.8.0_77.mod
new file mode 100644
index 00000000000..3628757cbfd
--- /dev/null
+++ b/jetty-start/src/test/resources/dist-home/modules/protonego-impl/alpn-1.8.0_77.mod
@@ -0,0 +1,8 @@
+[name]
+protonego-boot
+
+[files]
+http://central.maven.org/maven2/org/mortbay/jetty/alpn/alpn-boot/8.1.7.v20160121/alpn-boot-8.1.7.v20160121.jar|lib/alpn/alpn-boot-8.1.7.v20160121.jar
+
+[exec]
+-Xbootclasspath/p:lib/alpn/alpn-boot-8.1.7.v20160121.jar
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/StringUtil.java b/jetty-util/src/main/java/org/eclipse/jetty/util/StringUtil.java
index ca070dd8c14..03d2a180fb7 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/StringUtil.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/StringUtil.java
@@ -381,6 +381,53 @@ public class StringUtil
         }
     }
 
+    /**
+     * Find the index of a control characters in String
+     * <p>
+     * This will return a result on the first occurrence of a control character, regardless if
+     * there are more than one.
+     * </p>
+     * <p>
+     * Note: uses codepoint version of {@link Character#isISOControl(int)} to support Unicode better.
+     * </p>
+     *
+     * <pre>
+     *   indexOfControlChars(null)      == -1
+     *   indexOfControlChars("")        == -1
+     *   indexOfControlChars("\r\n")    == 0
+     *   indexOfControlChars("\t")      == 0
+     *   indexOfControlChars("   ")     == -1
+     *   indexOfControlChars("a")       == -1
+     *   indexOfControlChars(".")       == -1
+     *   indexOfControlChars(";\n")     == 1
+     *   indexOfControlChars("abc\f")   == 3
+     *   indexOfControlChars("z\010")   == 1
+     *   indexOfControlChars(":\u001c") == 1
+     * </pre>
+     *
+     * @param str
+     *            the string to test.
+     * @return the index of first control character in string, -1 if no control characters encountered
+     */
+    public static int indexOfControlChars(String str)
+    {
+        if (str == null)
+        {
+            return -1;
+        }
+        int len = str.length();
+        for (int i = 0; i < len; i++)
+        {
+            if (Character.isISOControl(str.codePointAt(i)))
+            {
+                // found a control character, we can stop searching  now
+                return i;
+            }
+        }
+        // no control characters
+        return -1;
+    }
+
     /* ------------------------------------------------------------ */
     /**
      * Test if a string is null or only has whitespace characters in it.
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/FileResource.java b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/FileResource.java
index b5c7bacf3c5..d4942eec15e 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/FileResource.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/FileResource.java
@@ -29,10 +29,12 @@ import java.net.URL;
 import java.net.URLConnection;
 import java.nio.channels.FileChannel;
 import java.nio.channels.ReadableByteChannel;
+import java.nio.file.InvalidPathException;
 import java.nio.file.StandardOpenOption;
 import java.security.Permission;
 
 import org.eclipse.jetty.util.IO;
+import org.eclipse.jetty.util.StringUtil;
 import org.eclipse.jetty.util.URIUtil;
 import org.eclipse.jetty.util.log.Log;
 import org.eclipse.jetty.util.log.Logger;
@@ -67,6 +69,7 @@ public class FileResource extends Resource
         {
             // Try standard API to convert URL to file.
             file =new File(url.toURI());
+            assertValidPath(file.toString());
         }
         catch (URISyntaxException e) 
         {
@@ -110,6 +113,7 @@ public class FileResource extends Resource
         _file=file;
         URI file_uri=_file.toURI();
         _uri=normalizeURI(_file,uri);
+        assertValidPath(file.toString());
 
         // Is it a URI alias?
         if (!URIUtil.equalsIgnoreEncodings(_uri,file_uri.toString()))
@@ -121,6 +125,7 @@ public class FileResource extends Resource
     /* -------------------------------------------------------- */
     public FileResource(File file)
     {
+        assertValidPath(file.toString());
         _file=file;
         _uri=normalizeURI(_file,_file.toURI());
         _alias=checkFileAlias(_file);
@@ -182,6 +187,7 @@ public class FileResource extends Resource
     public Resource addPath(String path)
         throws IOException, MalformedURLException
     {
+        assertValidPath(path);
         path = org.eclipse.jetty.util.URIUtil.canonicalPath(path);
 
         if (path==null)
@@ -207,7 +213,7 @@ public class FileResource extends Resource
         }
         catch (final URISyntaxException e)
         {
-            throw new MalformedURLException(e.getMessage())
+            throw new InvalidPathException(path, e.getMessage())
             {
                 {
                     initCause(e);
@@ -217,8 +223,16 @@ public class FileResource extends Resource
 
         return new FileResource(uri);
     }
-   
-    
+
+    private void assertValidPath(String path)
+    {
+        int idx = StringUtil.indexOfControlChars(path);
+        if (idx >= 0)
+        {
+            throw new InvalidPathException(path, "Invalid Character at index " + idx);
+        }
+    }
+
     /* ------------------------------------------------------------ */
     @Override
     public URI getAlias()
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/PathResource.java b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/PathResource.java
index 7044923fcb5..892e34140c7 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/PathResource.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/PathResource.java
@@ -39,6 +39,7 @@ import java.util.ArrayList;
 import java.util.List;
 
 import org.eclipse.jetty.util.IO;
+import org.eclipse.jetty.util.StringUtil;
 import org.eclipse.jetty.util.URIUtil;
 import org.eclipse.jetty.util.log.Log;
 import org.eclipse.jetty.util.log.Logger;
@@ -165,6 +166,7 @@ public class PathResource extends Resource
     public PathResource(Path path)
     {
         this.path = path.toAbsolutePath();
+        assertValidPath(path);
         this.uri = this.path.toUri();
         this.alias = checkAliasPath(path);
     }
@@ -255,6 +257,17 @@ public class PathResource extends Resource
         return new PathResource(this.path.getFileSystem().getPath(path.toString(), subpath));
     }
 
+    private void assertValidPath(Path path)
+    {
+        // TODO merged from 9.2, check if necessary
+        String str = path.toString();
+        int idx = StringUtil.indexOfControlChars(str);
+        if(idx >= 0)
+        {
+            throw new InvalidPathException(str, "Invalid Character at index " + idx);
+        }
+    }
+    
     @Override
     public void close()
     {
diff --git a/jetty-util/src/test/java/org/eclipse/jetty/util/StringUtilTest.java b/jetty-util/src/test/java/org/eclipse/jetty/util/StringUtilTest.java
index a33170a629c..09889fa891b 100644
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/StringUtilTest.java
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/StringUtilTest.java
@@ -18,20 +18,20 @@
 
 package org.eclipse.jetty.util;
 
+import java.nio.charset.StandardCharsets;
+
+import org.junit.Assert;
+import org.junit.Test;
+
 import static org.hamcrest.Matchers.arrayContaining;
 import static org.hamcrest.Matchers.emptyArray;
+import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.nullValue;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 
-import java.nio.charset.StandardCharsets;
-
-import org.hamcrest.Matchers;
-import org.junit.Assert;
-import org.junit.Test;
-
 public class StringUtilTest
 {
     @Test
@@ -205,6 +205,25 @@ public class StringUtilTest
         System.err.println(calc);
     }
 
+    @Test
+    public void testHasControlCharacter()
+    {
+        assertThat(StringUtil.indexOfControlChars("\r\n"), is(0));
+        assertThat(StringUtil.indexOfControlChars("\t"), is(0));
+        assertThat(StringUtil.indexOfControlChars(";\n"), is(1));
+        assertThat(StringUtil.indexOfControlChars("abc\fz"), is(3));
+        assertThat(StringUtil.indexOfControlChars("z\010"), is(1));
+        assertThat(StringUtil.indexOfControlChars(":\u001c"), is(1));
+
+        assertThat(StringUtil.indexOfControlChars(null), is(-1));
+        assertThat(StringUtil.indexOfControlChars(""), is(-1));
+        assertThat(StringUtil.indexOfControlChars("   "), is(-1));
+        assertThat(StringUtil.indexOfControlChars("a"), is(-1));
+        assertThat(StringUtil.indexOfControlChars("."), is(-1));
+        assertThat(StringUtil.indexOfControlChars(";"), is(-1));
+        assertThat(StringUtil.indexOfControlChars("Euro is \u20ac"), is(-1));
+    }
+
     @Test
     public void testIsBlank() 
     {