diff --git a/radicale/__init__.py b/radicale/__init__.py
index 3c99baa..9b85c6b 100644
--- a/radicale/__init__.py
+++ b/radicale/__init__.py
@@ -357,8 +357,10 @@ class Application:
             environ.get("SCRIPT_NAME", "")).rstrip("/")
         self.logger.debug("Sanitized script name: %s", environ["SCRIPT_NAME"])
         base_prefix = environ["SCRIPT_NAME"]
-        # Sanitize request URI
-        environ["PATH_INFO"] = storage.sanitize_path(environ["PATH_INFO"])
+        # Sanitize request URI (a WSGI server indicates with an empty path,
+        # that the URL targets the application root without a trailing slash)
+        if environ["PATH_INFO"]:
+            environ["PATH_INFO"] = storage.sanitize_path(environ["PATH_INFO"])
         self.logger.debug("Sanitized path: %s", environ["PATH_INFO"])
         path = environ["PATH_INFO"]
         if base_prefix and path.startswith(base_prefix):
@@ -597,6 +599,9 @@ class Application:
         if not self._access(user, path, "w"):
             return NOT_ALLOWED
         to_path = storage.sanitize_path(to_url.path)
+        if not (to_path + "/").startswith(base_prefix + "/"):
+            return NOT_ALLOWED
+        to_path = to_path[len(base_prefix):]
         if not self._access(user, to_path, "w"):
             return NOT_ALLOWED
 
diff --git a/radicale/storage.py b/radicale/storage.py
index f9ec41e..7c0734a 100644
--- a/radicale/storage.py
+++ b/radicale/storage.py
@@ -466,10 +466,6 @@ class Collection(BaseCollection):
 
     @classmethod
     def discover(cls, path, depth="0"):
-        if path is None:
-            # Wrong URL
-            return
-
         # Path should already be sanitized
         sane_path = sanitize_path(path).strip("/")
         attributes = sane_path.split("/")