--- getfile.php.orig	2022-07-04 14:45:34.000000000 +0100
+++ getfile.php	2023-12-15 17:17:00.713003624 +0000
@@ -33,10 +33,13 @@
     $unsafe_file_path = str_replace('/', DIRECTORY_SEPARATOR, $unsafe_file_path);
 }
 $full_unsafe_file_path = $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->users_file_area_short . $unsafe_file_path;
+
+$twodots = strpos($full_unsafe_file_path, '..');
+
 // This gets the canonical file name, so in case of 542-tom-Notingham/../../../../etc/passwd -> /etc/passwd
 $realpath = realpath($full_unsafe_file_path);
 // Check that is start with root_path/USER-FILES
-if ($realpath !== false && $realpath === $full_unsafe_file_path) {
+if ($realpath !== false && ($realpath === $full_unsafe_file_path || $twodots === false)) {
     if (!preg_match('/^([0-9]+)-([a-z0-9]+)-/', $unsafe_file_path, $matches)) {
         die("path must start with a number, and then a username - e.g. 20-foobar-");
     }