diff --git a/src/main/java/org/apache/ibatis/io/DefaultVFS.java b/src/main/java/org/apache/ibatis/io/DefaultVFS.java
index 9fa5da4e1b2..f0f93dfad62 100644
--- a/src/main/java/org/apache/ibatis/io/DefaultVFS.java
+++ b/src/main/java/org/apache/ibatis/io/DefaultVFS.java
@@ -79,10 +79,15 @@ public List<String> list(URL url, String path) throws IOException {
               if (log.isDebugEnabled()) {
                 log.debug("Listing " + url);
               }
+              File destinationDir = new File(path);
               for (JarEntry entry; (entry = jarInput.getNextJarEntry()) != null;) {
                 if (log.isDebugEnabled()) {
                   log.debug("Jar entry: " + entry.getName());
                 }
+                File entryFile = new File(destinationDir, entry.getName()).getCanonicalFile();
+                if (!entryFile.getPath().startsWith(destinationDir.getCanonicalPath())) {
+                  throw new IOException("Bad zip entry: " + entry.getName());
+                }
                 children.add(entry.getName());
               }
             }