diff --git a/core/src/main/java/org/mapfish/print/servlet/ServletMapPrinterFactory.java b/core/src/main/java/org/mapfish/print/servlet/ServletMapPrinterFactory.java
index 384f032f8b..0ec5b3c254 100644
--- a/core/src/main/java/org/mapfish/print/servlet/ServletMapPrinterFactory.java
+++ b/core/src/main/java/org/mapfish/print/servlet/ServletMapPrinterFactory.java
@@ -241,6 +241,10 @@ private URI checkForAddedApp(@Nonnull final String app) {
         if (StringUtils.countMatches(app, ":") > MAX_DEPTH) {
             return null;
         }
+        if (!app.matches("^[a-zA-Z0-9:]+$")) {
+            return null;
+        }
+
         final Optional<File> child;
         try {
             child = this.configFileLoader.toFile(new URI(this.appsRootDirectory + "/" +