diff --git a/bbb-common-web/src/main/java/org/bigbluebutton/api/RecordingService.java b/bbb-common-web/src/main/java/org/bigbluebutton/api/RecordingService.java
index 69c86878aa576dc0535ea1e4401b61d0a3d1a425..172c1a9be636840cbcf21b2c63f3a2cdc9acfb79 100755
--- a/bbb-common-web/src/main/java/org/bigbluebutton/api/RecordingService.java
+++ b/bbb-common-web/src/main/java/org/bigbluebutton/api/RecordingService.java
@@ -88,10 +88,28 @@ public class RecordingService {
     }
 
     public File getDownloadablePresentationFile(String meetingId, String presId, String presFilename) {
-    	log.info("Find downloadable presentation for meetingId={} presId={} filename={}", meetingId, presId, presFilename);
-
+        log.info("Find downloadable presentation for meetingId={} presId={} filename={}", meetingId, presId,
+                presFilename);
         File presDir = Util.getPresentationDir(presentationBaseDir, meetingId, presId);
-        return new File(presDir.getAbsolutePath() + File.separatorChar + presFilename);
+        // Build file to presFilename
+        // Get canonicalPath and make sure it starts with
+        // /var/bigbluebutton/<meetingid-pattern>
+        // If so return file, if not return null
+        File presFile = new File(presDir.getAbsolutePath() + File.separatorChar + presFilename);
+        try {
+            String presFileCanonical = presFile.getCanonicalPath();
+            log.debug("Requested presentation name file full path {}",presFileCanonical);
+            if (presFileCanonical.startsWith(presentationBaseDir)) {
+                return presFile;
+            }
+        } catch (IOException e) {
+            log.error("Exception getting canonical path for {}.\n{}", presFilename, e);
+            return null;
+        }
+
+        log.error("Cannot find file for {}.", presFilename);
+
+        return null;
     }
 
     public void kickOffRecordingChapterBreak(String meetingId, Long timestamp) {
diff --git a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy
index 1dec865617339e9ef235ad9709f7fcbad9ec647e..5f7fd2b81ba0f347d14f6d3d2a452f55db7a34af 100755
--- a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy
+++ b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy
@@ -297,7 +297,7 @@ class PresentationController {
     InputStream is = null;
     try {
       def pres = meetingService.getDownloadablePresentationFile(meetingId, presId, presFilename)
-      if (pres.exists()) {
+      if (pres != null && pres.exists()) {
         log.debug "Controller: Sending pdf reply for $presFilename"
 
         def bytes = pres.readBytes()
@@ -311,9 +311,11 @@ class PresentationController {
         response.outputStream << bytes;
       } else {
         log.warn "$pres does not exist."
+		response.status = 404
       }
     } catch (IOException e) {
       log.error("Error reading file.\n" + e.getMessage());
+	  response.status = 404
     }
   }