diff --git a/backend/Services/Storage/Filesystem.php b/backend/Services/Storage/Filesystem.php
index 36c4823..a26f246 100644
--- a/backend/Services/Storage/Filesystem.php
+++ b/backend/Services/Storage/Filesystem.php
@@ -235,8 +235,11 @@ class Filesystem implements Service
 
     private function applyPathPrefix(string $path): string
     {
-        if (strpos($path, '..') !== false) {
-            $path = "/";
+        if ($path == '..'
+            || strpos($path, '..'.$this->separator) !== false
+            || strpos($path, $this->separator.'..') !== false
+        ) {
+            $path = $this->separator;
         }
         return $this->joinPaths($this->getPathPrefix(), $path);
     }
diff --git a/tests/backend/Unit/FilesystemTest.php b/tests/backend/Unit/FilesystemTest.php
index 0418b34..0b057d7 100644
--- a/tests/backend/Unit/FilesystemTest.php
+++ b/tests/backend/Unit/FilesystemTest.php
@@ -403,6 +403,8 @@ class FilesystemTest extends TestCase
         $this->assertEquals('/john/test.txt/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['test.txt/']));
         // no escaping path to upper dir
         $this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['/..']));
+        $this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['..']));
+        $this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['../']));
         $this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['/sub/../../']));
     }