diff --git a/keep_alive.py b/keep_alive.py
index eb3c21e9..1cb26592 100644
--- a/keep_alive.py
+++ b/keep_alive.py
@@ -45,7 +45,14 @@ def home():
 @app.route('/datafiles/<string:file>/<string:passkey>')
 def jsondat(file,passkey=0):
   if passkey=="1498657841136236":
-    return loads(open(f'{file}.json', 'r').read())
+    base_path = '/Backups'
+    #GOOD -- Verify with normalised version of path
+    fullpath = os.path.normpath(os.path.join(base_path, filename))
+    if not fullpath.startswith(base_path):
+        raise Exception("not allowed")
+    data = loads(open(fullpath, 'rb').read())
+    return data
+    #return loads(open(f'{file}.json', 'r').read())
   else:
     return "Access to NEW LIGHT DATA FILES is restricted."
 
@@ -83,4 +90,4 @@ def keep_alives():
 	Creates and starts new thread that runs the function run.
 	'''
 	t = Thread(target=run)
-	t.start()
\ No newline at end of file
+	t.start()