diff --git a/composer.json b/composer.json
index 59646d5e4..35e4052ab 100644
--- a/composer.json
+++ b/composer.json
@@ -1,31 +1,31 @@
 {
-    "name": "cakephp/cakephp",
-    "description": "The CakePHP framework",
-    "type": "library",
-    "keywords": ["framework"],
-    "homepage": "http://cakephp.org",
-    "license": "MIT",
-    "authors": [
-        {
-            "name": "CakePHP Community",
-            "homepage": "https://github.com/cakephp/cakephp/graphs/contributors"
-        }
-    ],
-    "support": {
-        "issues": "https://github.com/cakephp/cakephp/issues",
-        "forum": "http://stackoverflow.com/tags/cakephp",
-        "irc": "irc://irc.freenode.org/cakephp",
-        "source": "https://github.com/cakephp/cakephp"
-    },
-    "require": {
-        "php": ">=5.2.8",
-        "ext-mcrypt": "*"
-    },
-    "require-dev": {
-        "phpunit/phpunit": "3.7.*",
-        "cakephp/debug_kit" : "2.2.*"
-    },
-    "bin": [
-        "lib/Cake/Console/cake"
-    ]
+	"name": "cakephp/cakephp",
+	"description": "The CakePHP framework",
+	"type": "library",
+	"keywords": ["framework"],
+	"homepage": "http://cakephp.org",
+	"license": "MIT",
+	"authors": [
+		{
+			"name": "CakePHP Community",
+			"homepage": "https://github.com/cakephp/cakephp/graphs/contributors"
+		}
+	],
+	"support": {
+		"issues": "https://github.com/cakephp/cakephp/issues",
+		"forum": "http://stackoverflow.com/tags/cakephp",
+		"irc": "irc://irc.freenode.org/cakephp",
+		"source": "https://github.com/cakephp/cakephp"
+	},
+	"require": {
+		"php": ">=5.2.8",
+		"ext-mcrypt": "*"
+	},
+	"require-dev": {
+		"phpunit/phpunit": "3.7.*",
+		"cakephp/debug_kit" : "2.2.*"
+	},
+	"bin": [
+		"lib/Cake/Console/cake"
+	]
 }
diff --git a/lib/Cake/Network/CakeResponse.php b/lib/Cake/Network/CakeResponse.php
index 30b5a3a06..13deae3e4 100644
--- a/lib/Cake/Network/CakeResponse.php
+++ b/lib/Cake/Network/CakeResponse.php
@@ -1320,7 +1320,8 @@ class CakeResponse {
  * - name: Alternate download name
  * - download: If `true` sets download header and forces file to be downloaded rather than displayed in browser
  *
- * @param string $path Path to file
+ * @param string $path Path to file. If the path is not an absolute path that resolves
+ *   to a file, `APP` will be prepended to the path.
  * @param array $options Options See above.
  * @return void
  * @throws NotFoundException
@@ -1331,6 +1332,13 @@ class CakeResponse {
 			'download' => null
 		);
 
+		if (strpos($path, '..') !== false) {
+			throw new NotFoundException(__d(
+				'cake_dev',
+				'The requested file contains `..` and will not be read.'
+			));
+		}
+
 		if (!is_file($path)) {
 			$path = APP . $path;
 		}
diff --git a/lib/Cake/Test/Case/Network/CakeResponseTest.php b/lib/Cake/Test/Case/Network/CakeResponseTest.php
index c3c0181b0..59504de14 100644
--- a/lib/Cake/Test/Case/Network/CakeResponseTest.php
+++ b/lib/Cake/Test/Case/Network/CakeResponseTest.php
@@ -1166,6 +1166,17 @@ class CakeResponseTest extends CakeTestCase {
 		$response->file('/some/missing/folder/file.jpg');
 	}
 
+/**
+ * test file with ..
+ *
+ * @expectedException NotFoundException
+ * @return void
+ */
+	public function testFileWithPathTraversal() {
+		$response = new CakeResponse();
+		$response->file('my/../cat.gif');
+	}
+
 /**
  * testFile method
  *