[eneko]

Nice. The code was already checking for '..' on the path, but the condition was erroneous. Fixed now.

[toolate]

You might be better off getting the canonical path and then checking against a whitelist. E.g. `strpos(realpath($command_path), '/var/www/html/') === 0`.