From 495dcaf215a7e23232ca1ddc619f0ea10ccc7523 Mon Sep 17 00:00:00 2001
From: Jacopo Cappellato <jacopo.cappellato@gmail.com>
Date: Mon, 27 Apr 2026 11:49:06 +0200
Subject: [PATCH] Improved: Update allowed local file paths to enhance security

---
 framework/security/config/security.properties | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 089d4c93b31..088a4399b4c 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -184,8 +184,7 @@ content.data.ofbiz.file.allowed.paths=applications/,themes/,plugins/,runtime/
 # -- Allowed directories for the LOCAL_FILE / LOCAL_FILE_BIN data resource types (absolute paths).
 # -- Comma-separated, no spaces after commas. Use ${ofbiz.home} as a portable placeholder.
 # -- Only files whose resolved canonical path starts with one of these entries will be served.
-# -- Set to empty to disable this check (NOT recommended).
-content.data.local.file.allowed.paths=${ofbiz.home}
+content.data.local.file.allowed.paths=${ofbiz.home}/runtime/tmp/
 
 # -- Allowed hosts for the URL_RESOURCE data resource type (comma-separated host names or host:port values).
 # -- Both exact matches and subdomain matches are supported: "example.com" also permits "cdn.example.com".