diff --git a/src/main/java/run/halo/app/utils/FileUtils.java b/src/main/java/run/halo/app/utils/FileUtils.java
index d733d4a04..1e4c02b4b 100644
--- a/src/main/java/run/halo/app/utils/FileUtils.java
+++ b/src/main/java/run/halo/app/utils/FileUtils.java
@@ -296,7 +296,7 @@ public class FileUtils {
         Assert.notNull(parentPath, "Parent path must not be null");
         Assert.notNull(pathToCheck, "Path to check must not be null");
 
-        if (pathToCheck.startsWith(parentPath.normalize())) {
+        if (pathToCheck.normalize().startsWith(parentPath)) {
             return;
         }
 
diff --git a/src/test/java/run/halo/app/utils/DirectoryAttackTest.java b/src/test/java/run/halo/app/utils/DirectoryAttackTest.java
index 6e91f6d05..65c83f198 100644
--- a/src/test/java/run/halo/app/utils/DirectoryAttackTest.java
+++ b/src/test/java/run/halo/app/utils/DirectoryAttackTest.java
@@ -2,6 +2,7 @@ package run.halo.app.utils;
 
 import org.junit.Assert;
 import org.junit.Test;
+import run.halo.app.exception.ForbiddenException;
 
 import java.io.IOException;
 import java.nio.file.Path;
@@ -68,4 +69,14 @@ public class DirectoryAttackTest {
         System.out.println("Name count: " + path.getNameCount());
         System.out.println("Normalized path: " + path.normalize());
     }
+
+    @Test
+    public void traversalTestWhenSuccess() {
+        FileUtils.checkDirectoryTraversal("/etc/", "/etc/halo/halo/../test");
+    }
+
+    @Test(expected = ForbiddenException.class)
+    public void traversalTestWhenFailure() {
+        FileUtils.checkDirectoryTraversal("/etc/", "/etc/../tmp");
+    }
 }