Improved: Update allowed local file paths to enhance security

Author: jacopoc

framework/security/config/security.properties

@@ -184,8 +184,7 @@ content.data.ofbiz.file.allowed.paths=applications/,themes/,plugins/,runtime/
 # -- Allowed directories for the LOCAL_FILE / LOCAL_FILE_BIN data resource types (absolute paths).
 # -- Comma-separated, no spaces after commas. Use ${ofbiz.home} as a portable placeholder.
 # -- Only files whose resolved canonical path starts with one of these entries will be served.
-# -- Set to empty to disable this check (NOT recommended).
-content.data.local.file.allowed.paths=${ofbiz.home}
+content.data.local.file.allowed.paths=${ofbiz.home}/runtime/tmp/
 
 # -- Allowed hosts for the URL_RESOURCE data resource type (comma-separated host names or host:port values).
 # -- Both exact matches and subdomain matches are supported: "example.com" also permits "cdn.example.com".