diff --git a/meshcentral.js b/meshcentral.js
index c2ff568a..6bd209df 100644
--- a/meshcentral.js
+++ b/meshcentral.js
@@ -585,6 +585,7 @@ function CreateMeshCentralServer(config, args) {
         const child_process = require('child_process');
         try { if (process.traceDeprecation === true) { startArgs.unshift('--trace-deprecation'); } } catch (ex) { }
         try { if (process.traceProcessWarnings === true) { startArgs.unshift('--trace-warnings'); } } catch (ex) { }
+        if (startArgs[0] != "--disable-proto=delete") startArgs.unshift("--disable-proto=delete")
         childProcess = child_process.execFile(process.argv[0], startArgs, { maxBuffer: Infinity, cwd: obj.parentpath }, function (error, stdout, stderr) {
             if (childProcess.xrestart == 1) {
                 setTimeout(function () { obj.launchChildServer(startArgs); }, 500); // This is an expected restart.
diff --git a/meshuser.js b/meshuser.js
index 7a4a1b87..ea6390db 100644
--- a/meshuser.js
+++ b/meshuser.js
@@ -928,7 +928,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                             // Get a short file and send it back on the web socket
                             if (common.validateString(command.file, 1, 4096) == false) return;
                             const scpath = meshPathToRealPath(command.path, user); // This will also check access rights
-                            if (scpath == null) break;
+                            if ((scpath == null) || (command.file !== parent.path.basename(command.file))) break;
                             const filePath = parent.path.join(scpath, command.file);
                             fs.stat(filePath, function (err, stat) {
                                 if ((err != null) || (stat == null) || (stat.size >= 204800)) return;
@@ -943,7 +943,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                             if (common.validateString(command.file, 1, 4096) == false) return;
                             if (typeof command.data != 'string') return;
                             const scpath = meshPathToRealPath(command.path, user); // This will also check access rights
-                            if (scpath == null) break;
+                            if ((scpath == null) || (command.file !== parent.path.basename(command.file))) break;
                             const filePath = parent.path.join(scpath, command.file);
                             var data = null;
                             try { data = Buffer.from(command.data, 'base64'); } catch (ex) { return; }