From 20f3b4418c59848daa816172f0bc749f280cbf0c Mon Sep 17 00:00:00 2001
From: Jacopo Cappellato <jacopo.cappellato@gmail.com>
Date: Mon, 27 Apr 2026 11:49:06 +0200
Subject: [PATCH] Improved: Update allowed local file paths to enhance security

(cherry picked from commit f82bca8c8a32f98b6f280e19a38794f7fbe357ed)
---
 framework/security/config/security.properties | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 47bea88c9a5..f70ec1d5976 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -169,8 +169,7 @@ content.data.ofbiz.file.allowed.paths=applications/,themes/,plugins/,runtime/
 # -- Allowed directories for the LOCAL_FILE / LOCAL_FILE_BIN data resource types (absolute paths).
 # -- Comma-separated, no spaces after commas. Use ${ofbiz.home} as a portable placeholder.
 # -- Only files whose resolved canonical path starts with one of these entries will be served.
-# -- Set to empty to disable this check (NOT recommended).
-content.data.local.file.allowed.paths=${ofbiz.home}
+content.data.local.file.allowed.paths=${ofbiz.home}/runtime/tmp/
 
 # -- Allowed hosts for the URL_RESOURCE data resource type (comma-separated host names or host:port values).
 # -- Both exact matches and subdomain matches are supported: "example.com" also permits "cdn.example.com".