git/http transports: do more project name validation
Due to the way projects and forks are laid out, it's possible to
push a collection of refs that creates a directory layout that
resembles a GIT_DIR. Enough so that Git will think it is one
and fail miserably on many activities. This could, perhaps, be
used to corrupt the repository on a push.
In order to do this, the project/fork path would have to contain
an embedded '.git/' sequence. Check for this and forbid it.
The UI will not allow a project/fork name to be created that ends
in .git so this could only happen maliciously.