diff --git a/sdk/jme3-core/src/com/jme3/gde/core/assets/ProjectAssetManager.java b/sdk/jme3-core/src/com/jme3/gde/core/assets/ProjectAssetManager.java
index 519a58d87..89c70ead9 100644
--- a/sdk/jme3-core/src/com/jme3/gde/core/assets/ProjectAssetManager.java
+++ b/sdk/jme3-core/src/com/jme3/gde/core/assets/ProjectAssetManager.java
@@ -116,7 +116,7 @@ public class ProjectAssetManager extends DesktopAssetManager {
         }
         String projectRootPath = project.getProjectDirectory().getPath();
         logger.log(Level.INFO, "Add locator: {0}", projectRootPath);
-        registerLocator(projectRootPath, "com.jme3.asset.plugins.FileLocator");
+        registerLocator(projectRootPath, com.jme3.gde.core.assets.RootLockingFileLocator.class);
         for (AssetManagerConfigurator di : Lookup.getDefault().lookupAll(AssetManagerConfigurator.class)) {
             di.prepareManager(this);
         }
diff --git a/sdk/jme3-core/src/com/jme3/gde/core/assets/RootLockingFileLocator.java b/sdk/jme3-core/src/com/jme3/gde/core/assets/RootLockingFileLocator.java
new file mode 100644
index 000000000..b106feef1
--- /dev/null
+++ b/sdk/jme3-core/src/com/jme3/gde/core/assets/RootLockingFileLocator.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2003-2012 jMonkeyEngine
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * 
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * 
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * 
+ * * Neither the name of 'jMonkeyEngine' nor the names of its contributors
+ *   may be used to endorse or promote products derived from this software
+ *   without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package com.jme3.gde.core.assets;
+
+import com.jme3.asset.AssetInfo;
+import com.jme3.asset.AssetKey;
+import com.jme3.asset.AssetManager;
+import com.jme3.asset.plugins.FileLocator;
+
+/**
+ * FileLocator that doesn't allow paths outside the AssetManager root.
+ * @author normenhansen
+ */
+public class RootLockingFileLocator extends FileLocator {
+
+    @Override
+    public AssetInfo locate(AssetManager manager, AssetKey key) {
+        //TODO: check if file is in fact inside the root
+        if (key.getName().contains("..")) {
+            return null;
+        }
+        return super.locate(manager, key);
+    }
+}