diff --git a/ui/lib/ace/static.js b/ui/lib/ace/static.js
index fcf6a78..10c9296 100755
--- a/ui/lib/ace/static.js
+++ b/ui/lib/ace/static.js
@@ -31,6 +31,11 @@ if (allowSave)
 
 http.createServer(function(req, res) {
     var uri = unescape(url.parse(req.url).pathname);
+    if (path.normalize(unescape(uri)) !== unescape(uri)) {
+        res.statusCode = 403;
+        res.end();
+        return;
+    }
     var filename = path.join(process.cwd(), uri);
 
     if (req.method == "OPTIONS") {