diff --git a/prototype/src/main/java/org/hso/ecommerce/controller/shop/ShopArticleController.java b/prototype/src/main/java/org/hso/ecommerce/controller/shop/ShopArticleController.java
index 18144f7..bca16ab 100644
--- a/prototype/src/main/java/org/hso/ecommerce/controller/shop/ShopArticleController.java
+++ b/prototype/src/main/java/org/hso/ecommerce/controller/shop/ShopArticleController.java
@@ -16,6 +16,7 @@ import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
+import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -102,9 +103,14 @@ public class ShopArticleController {
         Article article = articleRepository.findArticleById(id);
         
         if(article.image != null) {
-        	InputStream in = new FileInputStream(article.image.path);
-            response.setContentType(MediaType.IMAGE_JPEG_VALUE);
-            IOUtils.copy(in, response.getOutputStream());
+            File file = new File(article.image.path);
+            if (file.getCanonicalPath().startsWith("./data/img/")) {
+                InputStream in = new FileInputStream(file);
+                response.setContentType(MediaType.IMAGE_JPEG_VALUE);
+                IOUtils.copy(in, response.getOutputStream());
+            } else {
+                throw new RuntimeException("Got illegal file path. DB was modified.");
+            }
         }        
     }
 }
\ No newline at end of file