--- a/xbmc/network/WebServer.cpp
+++ b/xbmc/network/WebServer.cpp
@@ -43,6 +43,7 @@
 #include "URL.h"
 #include "Util.h"
 #include "utils/Base64.h"
+#include "utils/FileUtils.h"
 #include "utils/log.h"
 #include "utils/Mime.h"
 #include "utils/StringUtils.h"
@@ -765,6 +766,10 @@ int CWebServer::CreateFileDownloadRespon
   std::shared_ptr<XFILE::CFile> file = std::make_shared<XFILE::CFile>();
   std::string filePath = handler->GetResponseFile();
 
+  // access check
+  if (!CFileUtils::CheckFileAccessAllowed(filePath))
+    return SendErrorResponse(request, MHD_HTTP_NOT_FOUND, request.method);
+
   if (!file->Open(filePath, XFILE::READ_NO_CACHE))
   {
     CLog::Log(LOGERROR, "CWebServer[%hu]: Failed to open %s", m_port, filePath.c_str());
--- a/xbmc/network/httprequesthandler/HTTPImageHandler.cpp
+++ b/xbmc/network/httprequesthandler/HTTPImageHandler.cpp
@@ -22,6 +22,8 @@
 #include "URL.h"
 #include "filesystem/ImageFile.h"
 #include "network/WebServer.h"
+#include "utils/FileUtils.h"
+
 
 CHTTPImageHandler::CHTTPImageHandler(const HTTPRequest &request)
   : CHTTPFileHandler(request)
@@ -36,7 +38,7 @@ CHTTPImageHandler::CHTTPImageHandler(con
 
     XFILE::CImageFile imageFile;
     const CURL pathToUrl(file);
-    if (imageFile.Exists(pathToUrl))
+    if (imageFile.Exists(pathToUrl) && CFileUtils::CheckFileAccessAllowed(file))
     {
       responseStatus = MHD_HTTP_OK;
       struct __stat64 statBuffer;
--- a/xbmc/network/httprequesthandler/HTTPWebinterfaceHandler.cpp
+++ b/xbmc/network/httprequesthandler/HTTPWebinterfaceHandler.cpp
@@ -24,6 +24,7 @@
 #include "addons/Webinterface.h"
 #include "filesystem/Directory.h"
 #include "filesystem/File.h"
+#include "utils/FileUtils.h"
 #include "utils/StringUtils.h"
 #include "utils/URIUtils.h"
 
@@ -72,6 +73,9 @@ int CHTTPWebinterfaceHandler::ResolveUrl
     }
   }
 
+  if (!CFileUtils::CheckFileAccessAllowed(path))
+    return MHD_HTTP_NOT_FOUND;
+
   if (!XFILE::CFile::Exists(path))
     return MHD_HTTP_NOT_FOUND;
 
--- a/xbmc/utils/FileUtils.cpp
+++ b/xbmc/utils/FileUtils.cpp
@@ -17,6 +17,7 @@
  *  <http://www.gnu.org/licenses/>.
  *
  */
+
 #include "FileUtils.h"
 #include "guilib/GUIWindowManager.h"
 #include "dialogs/GUIDialogYesNo.h"
@@ -26,9 +27,9 @@
 #include "JobManager.h"
 #include "FileOperationJob.h"
 #include "URIUtils.h"
-#include "filesystem/StackDirectory.h"
 #include "filesystem/MultiPathDirectory.h"
-#include <vector>
+#include "filesystem/SpecialProtocol.h"
+#include "filesystem/StackDirectory.h"
 #include "settings/MediaSourceSettings.h"
 #include "Util.h"
 #include "StringUtils.h"
@@ -36,6 +37,13 @@
 #include "settings/Settings.h"
 #include "utils/Variant.h"
 
+#if defined(TARGET_WINDOWS)
+#include "platform/win32/WIN32Util.h"
+#include "utils/CharsetConverter.h"
+#endif
+
+#include <vector>
+
 using namespace XFILE;
 
 bool CFileUtils::DeleteItem(const std::string &strPath, bool force)
@@ -226,3 +234,100 @@ CDateTime CFileUtils::GetModificationDat
   }
   return dateAdded;
 }
+
+bool CFileUtils::CheckFileAccessAllowed(const std::string &filePath)
+{
+  // DENY access to paths matching
+  const std::vector<std::string> blacklist = {
+    "passwords.xml",
+    "sources.xml",
+    "guisettings.xml",
+    "advancedsettings.xml",
+    "server.key",
+    "/.ssh/",
+  };
+  // ALLOW kodi paths
+  const std::vector<std::string> whitelist = {
+    CSpecialProtocol::TranslatePath("special://home"),
+    CSpecialProtocol::TranslatePath("special://xbmc")
+  };
+
+  // image urls come in the form of image://... sometimes with a / appended at the end
+  // strip this off to get the real file path
+  bool isImage = false;
+  std::string decodePath = CURL::Decode(filePath);
+  size_t pos = decodePath.find("image://");
+  if (pos != std::string::npos)
+  {
+    isImage = true;
+    decodePath.erase(pos, 8);
+    URIUtils::RemoveSlashAtEnd(decodePath);
+  }
+
+  // check blacklist
+  for (const auto &b : blacklist)
+  {
+    if (decodePath.find(b) != std::string::npos)
+    {
+      CLog::Log(LOGERROR,"%s denied access to %s",  __FUNCTION__, decodePath.c_str());
+      return false;
+    }
+  }
+
+#if defined(TARGET_POSIX)
+  std::string whiteEntry;
+  char *fullpath = realpath(decodePath.c_str(), nullptr);
+
+  // if this is a locally existing file, check access permissions
+  if (fullpath)
+  {
+    const std::string realPath = fullpath;
+    free(fullpath);
+
+    // check whitelist
+    for (const auto &w : whitelist)
+    {
+      char *realtemp = realpath(w.c_str(), nullptr);
+      if (realtemp)
+      {
+        whiteEntry = realtemp;
+        free(realtemp);
+      }
+      if (StringUtils::StartsWith(realPath, whiteEntry))
+        return true;
+    }
+    // check sources with realPath
+    return CFileUtils::RemoteAccessAllowed(realPath);
+  }
+#elif defined(TARGET_WINDOWS)
+  CURL url(decodePath);
+  if (url.GetProtocol().empty())
+  {
+    std::wstring decodePathW;
+    g_charsetConverter.utf8ToW(decodePath, decodePathW, false);
+    CWIN32Util::AddExtraLongPathPrefix(decodePathW);
+    DWORD bufSize = GetFullPathNameW(decodePathW.c_str(), 0, nullptr, nullptr);
+    if (bufSize > 0)
+    {
+      std::wstring fullpathW;
+      fullpathW.resize(bufSize);
+      if (GetFullPathNameW(decodePathW.c_str(), bufSize, const_cast<wchar_t*>(fullpathW.c_str()), nullptr) <= bufSize - 1)
+      {
+        CWIN32Util::RemoveExtraLongPathPrefix(fullpathW);
+        std::string fullpath;
+        g_charsetConverter.wToUTF8(fullpathW, fullpath, false);
+        for (const std::string& whiteEntry : whitelist)
+        {
+          if (StringUtils::StartsWith(fullpath, whiteEntry))
+            return true;
+        }
+        return CFileUtils::RemoteAccessAllowed(fullpath);
+      }
+    }
+  }
+#endif
+  // if it isn't a local file, it must be a vfs entry
+  if (! isImage)
+    return CFileUtils::RemoteAccessAllowed(decodePath);
+  return true;
+}
--- a/xbmc/utils/FileUtils.h
+++ b/xbmc/utils/FileUtils.h
@@ -24,6 +24,7 @@
 class CFileUtils
 {
 public:
+  static bool CheckFileAccessAllowed(const std::string &filePath);
   static bool DeleteItem(const CFileItemPtr &item, bool force=false);
   static bool DeleteItem(const std::string &strPath, bool force=false);
   static bool RenameFile(const std::string &strFile);
