diff --git a/frappe/middlewares.py b/frappe/middlewares.py
index 168d129ebe..1898734917 100644
--- a/frappe/middlewares.py
+++ b/frappe/middlewares.py
@@ -1,7 +1,7 @@
 # Copyright (c) 2015, Frappe Technologies Pvt. Ltd. and Contributors
 # License: MIT. See LICENSE
 
-import os
+from pathlib import Path
 
 from werkzeug.exceptions import NotFound
 from werkzeug.middleware.shared_data import SharedDataMiddleware
@@ -18,11 +18,12 @@ class StaticDataMiddleware(SharedDataMiddleware):
 	def get_directory_loader(self, directory):
 		def loader(path):
 			site = get_site_name(frappe.app._site or self.environ.get("HTTP_HOST"))
-			path = os.path.join(directory, site, "public", "files", cstr(path))
-			if os.path.isfile(path):
-				return os.path.basename(path), self._opener(path)
-			else:
+			files_path = Path(directory) / site / "public" / "files"
+			requested_path = Path(cstr(path))
+			path = (files_path / requested_path).resolve()
+			if not path.is_relative_to(files_path) or not path.is_file():
 				raise NotFound
-				# return None, None
+
+			return path.name, self._opener(path)
 
 		return loader