diff --git a/src/org/loklak/LoklakServer.java b/src/org/loklak/LoklakServer.java
index b9c49136c..54156833b 100644
--- a/src/org/loklak/LoklakServer.java
+++ b/src/org/loklak/LoklakServer.java
@@ -374,7 +374,10 @@ private static void extractContents() {
 
     private static void extract(JarFile jar, JarEntry file) throws IOException {
         Path workingDirectory = Paths.get("").toAbsolutePath();
-        File target = new File(workingDirectory.toString() + File.separator + file.getName());
+        File target = new File(workingDirectory.toString(), file.getName());
+        if (!target.toPath().normalize().startsWith(workingDirectory.toString())) {
+            throw new IOException("Bad zip entry");
+        }
 
         if (target.exists())
             return;