diff --git a/deegree-services/deegree-services-config/src/main/java/org/deegree/services/config/actions/Upload.java b/deegree-services/deegree-services-config/src/main/java/org/deegree/services/config/actions/Upload.java
index b80a6c6191..bbc6766548 100644
--- a/deegree-services/deegree-services-config/src/main/java/org/deegree/services/config/actions/Upload.java
+++ b/deegree-services/deegree-services-config/src/main/java/org/deegree/services/config/actions/Upload.java
@@ -50,6 +50,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.io.IOUtils;
+import org.apache.commons.io.FileUtils;
 import org.deegree.commons.config.DeegreeWorkspace;
 import org.deegree.commons.utils.Pair;
 
@@ -84,15 +85,24 @@ public static void upload( String path, HttpServletRequest req, HttpServletRespo
                 // unzip a workspace
                 String wsName = p.second.substring( 0, p.second.length() - 4 );
                 String dirName = p.second.endsWith( ".zip" ) ? wsName : p.second;
-                File dir = new File( getWorkspaceRoot(), dirName );
-                if ( isWorkspace( dirName ) ) {
+                File workspaceRoot = new File ( getWorkspaceRoot() );
+                File dir = new File( workspaceRoot, dirName );
+                if ( !FileUtils.directoryContains( workspaceRoot, dir ) ) {
+                    IOUtils.write( "Workspace " + wsName + " invalid.\n", resp.getOutputStream() );
+                    return;
+                } else if ( isWorkspace( dirName ) ) {
                     IOUtils.write( "Workspace " + wsName + " exists.\n", resp.getOutputStream() );
                     return;
                 }
                 unzip( in, dir );
                 IOUtils.write( "Workspace " + wsName + " uploaded.\n", resp.getOutputStream() );
             } else {
-                File dest = new File( p.first.getLocation(), p.second );
+                File workspaceDir = p.first.getLocation();
+                File dest = new File( workspaceDir, p.second );
+                if ( !FileUtils.directoryContains( workspaceDir, dest ) ) {
+                    IOUtils.write( "Unable to upload file: " + p.second + ".\n", resp.getOutputStream() );
+                    return;
+                }
                 if ( !dest.getParentFile().exists() && !dest.getParentFile().mkdirs() ) {
                     IOUtils.write( "Unable to create parent directory for upload.\n", resp.getOutputStream() );
                     return;
diff --git a/deegree-services/deegree-webservices/src/main/java/org/deegree/console/workspace/WorkspaceBean.java b/deegree-services/deegree-webservices/src/main/java/org/deegree/console/workspace/WorkspaceBean.java
index 1d4aa575d8..b00ee547c3 100644
--- a/deegree-services/deegree-webservices/src/main/java/org/deegree/console/workspace/WorkspaceBean.java
+++ b/deegree-services/deegree-webservices/src/main/java/org/deegree/console/workspace/WorkspaceBean.java
@@ -302,6 +302,11 @@ public String unzipWorkspace() {
             File wsRoot = new File( getWorkspaceRoot() );
             in = new FileInputStream( new File( upload.getAbsolutePath() ) );
             File target = new File( wsRoot, workspaceImportName );
+            
+            if ( !FileUtils.directoryContains( wsRoot, target ) ) {
+                throw new Exception( "Invalid workspace name: '" + workspaceImportName + "'." );
+            }
+            
             if ( target.exists() ) {
                 throw new Exception( "Workspace '" + workspaceImportName + "' already exists." );
             } else {
diff --git a/deegree-services/deegree-webservices/src/main/webapp/console/client/download.jsp b/deegree-services/deegree-webservices/src/main/webapp/console/client/download.jsp
index bf0af89125..038d9463f7 100644
--- a/deegree-services/deegree-webservices/src/main/webapp/console/client/download.jsp
+++ b/deegree-services/deegree-webservices/src/main/webapp/console/client/download.jsp
@@ -1,4 +1,4 @@
-<%@ page language="java" pageEncoding="UTF-8" import="java.io.*,javax.faces.context.FacesContext, org.apache.commons.io.IOUtils"%><%
+<%@ page language="java" pageEncoding="UTF-8" import="java.io.*,javax.faces.context.FacesContext, org.apache.commons.io.*"%><%
     // PLEASE NOTE:
     //
     // Do *not* add anything (header, whitespace, etc.) in front or after the JSP
@@ -8,15 +8,22 @@
     InputStream is = null;
     OutputStream os = null;
     try {
-        String mimeType = request.getParameter("mt");
-        File file = new File ( new File (System.getProperty("java.io.tmpdir")),request.getParameter("file") );
-        response.setContentType( mimeType );
-        is = new FileInputStream( file );
-        os = response.getOutputStream();
-        IOUtils.copy(is, os);
+        String mimeType = request.getParameter( "mt" );
+        String fileName = request.getParameter( "file" );
+
+        File tmpDir = new File( System.getProperty( "java.io.tmpdir" ) );
+        File file = new File( tmpDir, fileName );
+        if ( FileUtils.directoryContains( tmpDir, file ) && file.exists() ) {
+            response.setContentType( mimeType );
+            is = new FileInputStream( file );
+            os = response.getOutputStream();
+            IOUtils.copy( is, os );
+        } else {
+            throw new Exception( "Unable to download requested file: " + fileName );
+        }
     } catch ( Exception e ) {
         e.printStackTrace();
-        throw new Exception( "Unable to perform download: " + e.getMessage() );
+        throw new Exception( "Exception while downloading file", e );
     } finally {
         IOUtils.closeQuietly(is);
         IOUtils.closeQuietly(os);