diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index a85f3c5a..ad6d532f 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -330,6 +330,9 @@ class UiRequest(object):
         if path.endswith("/"):
             path = path + "index.html"
 
+        if ".." in path:
+            raise Exception("Invalid path")
+
         match = re.match("/media/(?P<address>[A-Za-z0-9\._-]+)/(?P<inner_path>.*)", path)
         if match:
             path_parts = match.groupdict()