diff --git a/src/Blob/Blob.csproj b/src/Blob/Blob.csproj
index 50658c3720111a133d40049b5523e13e21053a9d..c74cf7aeeee565ee763b6aaa6c067b11623c109a 100644
--- a/src/Blob/Blob.csproj
+++ b/src/Blob/Blob.csproj
@@ -53,8 +53,8 @@
     <Reference Include="Consul, Version=0.7.2.6, Culture=neutral, PublicKeyToken=20a6ad9a81df1d95, processorArchitecture=MSIL">
       <HintPath>..\packages\Consul.0.7.2.6\lib\net45\Consul.dll</HintPath>
     </Reference>
-    <Reference Include="Coscine.Api.WaterbutlerHelper, Version=1.1.0.0, Culture=neutral, processorArchitecture=MSIL">
-      <HintPath>..\packages\Coscine.Api.WaterbutlerHelper.1.1.0\lib\net461\Coscine.Api.WaterbutlerHelper.dll</HintPath>
+    <Reference Include="Coscine.Api.WaterbutlerHelper, Version=1.1.1.0, Culture=neutral, processorArchitecture=MSIL">
+      <HintPath>..\packages\Coscine.Api.WaterbutlerHelper.1.1.1\lib\net461\Coscine.Api.WaterbutlerHelper.dll</HintPath>
     </Reference>
     <Reference Include="Coscine.ApiCommons, Version=1.9.0.0, Culture=neutral, PublicKeyToken=af4c1345df96546b, processorArchitecture=MSIL">
       <HintPath>..\packages\Coscine.ApiCommons.1.9.0\lib\net461\Coscine.ApiCommons.dll</HintPath>
diff --git a/src/Blob/Controllers/BlobController.cs b/src/Blob/Controllers/BlobController.cs
index 38d4ec94866a95d7cada8f630a801008f342042f..f32bc5ebe220bfe92a5a879da25741cceb17d060 100644
--- a/src/Blob/Controllers/BlobController.cs
+++ b/src/Blob/Controllers/BlobController.cs
@@ -140,13 +140,17 @@ namespace Coscine.Api.Blob.Controllers
         // inferring a ../ (urlencoded) can manipulate the url.
         // However the constructed signature for s3 won't match and it will not be resolved.
         // This may be a problem for other provider!
-        [HttpGet("[controller]/{resourceId}/{path}")]
+        [HttpGet("[controller]/{resourceId}/{*path}")]
         [DisableRequestSizeLimit]
         public async Task<IActionResult> GetFile(string resourceId, string path)
         {
-            var user = _authenticator.GetUser();
+            path = $"/{path}";
+            if (path.Contains("%2F") || path.Contains("%2f"))
+            {
+                return BadRequest("Path can not contain the sequence %2F.");
+            }
 
-            path = HttpUtility.UrlDecode(path);
+            var user = _authenticator.GetUser();
 
             var check = CheckResourceIdAndPath(resourceId, path, out Resource resource);
             if (check != null)
@@ -201,13 +205,17 @@ namespace Coscine.Api.Blob.Controllers
         // inferring a ../ (urlencoded) can manipulate the url.
         // However the constructed signature for s3 won't match and it will not be resolved.
         // This may be a problem for other provider!
-        [HttpPut("[controller]/{resourceId}/{path}")]
+        [HttpPut("[controller]/{resourceId}/{*path}")]
         [DisableRequestSizeLimit]
         public async Task<IActionResult> UploadFile(string resourceId, string path)
         {
-            var user = _authenticator.GetUser();
+            path = $"/{path}";
+            if (path.Contains("%2F") || path.Contains("%2f"))
+            {
+                return BadRequest("Path can not contain the sequence %2F.");
+            }
 
-            path = HttpUtility.UrlDecode(path);
+            var user = _authenticator.GetUser();
 
             var check = CheckResourceIdAndPath(resourceId, path, out Resource resource);
             if (check != null)
@@ -229,7 +237,7 @@ namespace Coscine.Api.Blob.Controllers
             else
             {
                 var provider = GetResourceTypeName(resource);
-                var infos = await _waterbutlerInterface.GetObjectInfoAsync("/" + path, provider, authHeader);
+                var infos = await _waterbutlerInterface.GetObjectInfoAsync(path, provider, authHeader);
 
                 // Not found, upload new
                 if (infos == null)
@@ -277,12 +285,16 @@ namespace Coscine.Api.Blob.Controllers
             }
         }
 
-        [HttpDelete("[controller]/{resourceId}/{path}")]
+        [HttpDelete("[controller]/{resourceId}/{*path}")]
         public async Task<IActionResult> DeleteFile(string resourceId, string path)
         {
-            var user = _authenticator.GetUser();
+            path = $"/{path}";
+            if (path.Contains("%2F") || path.Contains("%2f"))
+            {
+                return BadRequest("Path can not contain the sequence %2F.");
+            }
 
-            path = HttpUtility.UrlDecode(path);
+            var user = _authenticator.GetUser();
 
             var check = CheckResourceIdAndPath(resourceId, path, out Resource resource);
             if (check != null)
diff --git a/src/Blob/packages.config b/src/Blob/packages.config
index 5e73671a8ab207ac299b30284d48b81defbf7292..bf9a2bd50e293cbbd2dd23db0892abd213e79588 100644
--- a/src/Blob/packages.config
+++ b/src/Blob/packages.config
@@ -3,7 +3,7 @@
   <package id="AWSSDK.Core" version="3.3.107.8" targetFramework="net461" />
   <package id="AWSSDK.S3" version="3.3.111.9" targetFramework="net461" />
   <package id="Consul" version="0.7.2.6" targetFramework="net461" />
-  <package id="Coscine.Api.WaterbutlerHelper" version="1.1.0" targetFramework="net461" />
+  <package id="Coscine.Api.WaterbutlerHelper" version="1.1.1" targetFramework="net461" />
   <package id="Coscine.ApiCommons" version="1.9.0" targetFramework="net461" />
   <package id="Coscine.Configuration" version="1.5.0" targetFramework="net461" />
   <package id="Coscine.Database" version="1.22.2" targetFramework="net461" />