1 files changed, 13 insertions, 2 deletions

diff --git a/src/web/ejabberd_http.erl b/src/web/ejabberd_http.erl
index 612a544bd..d5abc516c 100644
--- a/src/web/ejabberd_http.erl
+++ b/src/web/ejabberd_http.erl
@@ -372,7 +372,7 @@ process_request(#state{request_method = Method,
 	{'EXIT', _} ->
 	    make_bad_request(State);
 	{NPath, Query} ->
-	    LPath = [path_decode(NPE) || NPE <- string:tokens(NPath, "/")],
+	    LPath = normalize_path([NPE || NPE <- string:tokens(path_decode(NPath), "/")]),
 	    LQuery = case (catch parse_urlencoded(Query)) of
 			 {'EXIT', _Reason} ->
 			     [];
@@ -449,7 +449,7 @@ process_request(#state{request_method = Method,
 	{'EXIT', _} ->
             make_bad_request(State);
 	{NPath, _Query} ->
-	    LPath = [path_decode(NPE) || NPE <- string:tokens(NPath, "/")],
+	    LPath = normalize_path([NPE || NPE <- string:tokens(path_decode(NPath), "/")]),
 	    LQuery = case (catch parse_urlencoded(Data)) of
 			 {'EXIT', _Reason} ->
 			     [];
@@ -1125,3 +1125,14 @@ drop_spaces(YS=[X|XS]) ->
 	false ->
 	    YS
     end.
+
+normalize_path(Path) ->
+    normalize_path(Path, []).
+
+normalize_path([], Norm) -> lists:reverse(Norm);
+normalize_path([".."|Path], Norm) ->
+    normalize_path(Path, Norm);
+normalize_path([_Parent, ".."|Path], Norm) ->
+    normalize_path(Path, Norm);
+normalize_path([Part | Path], Norm) ->
+    normalize_path(Path, [Part|Norm]).