diff --git a/cmd/root.go b/cmd/root.go
index 888f83b..9718942 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -182,7 +182,7 @@ var rootCmd = &cobra.Command{
 		}
 
 		for _, file := range index.Files {
-			ok, err := util.PathIsSubpath(file.Path, serverDir)
+			ok, err := util.PathIsSubpath(path.Join(serverDir, file.Path), serverDir)
 			if err != nil {
 				log.Println(err.Error())
 			}
diff --git a/cmd/update.go b/cmd/update.go
index 72458c4..a90e5c9 100644
--- a/cmd/update.go
+++ b/cmd/update.go
@@ -148,13 +148,13 @@ var updateCmd = &cobra.Command{
 			log.Fatalln(err)
 		}
 
-		for path, _ := range newModPackInfo.File {
-			ok, err := util.PathIsSubpath(string(path), serverDir)
+		for p, _ := range newModPackInfo.File {
+			ok, err := util.PathIsSubpath(path.Join(serverDir, string(p)), serverDir)
 			if err != nil {
 				log.Println(err.Error())
 			}
 			if err != nil || !ok {
-				log.Fatalln("File path is not safe: " + path)
+				log.Fatalln("File path is not safe: " + p)
 			}
 		}