diff --git a/modules/Emails/views/MassSaveAjax.php b/modules/Emails/views/MassSaveAjax.php
index be14047ea4605a7bdcfc781407439faca932d603..f230e536c0a2fd4fb104ca450c63cda74345ab25 100644
--- a/modules/Emails/views/MassSaveAjax.php
+++ b/modules/Emails/views/MassSaveAjax.php
@@ -220,13 +220,9 @@ class Emails_MassSaveAjax_View extends Vtiger_Footer_View {
 					$encryptFileName = Vtiger_Util_Helper::getEncryptedFileName($binFile);
 					$newFilePath = $upload_file_path . $current_id . "_" . $encryptFileName;
 
-					Vtiger_Utils::checkFileAccess($oldFilePath);
-
-					//restrict attachment only from storage directory
-					$oldFileRelPath = str_replace('\\', '/', str_replace(realpath($root_directory).DIRECTORY_SEPARATOR, "", realpath($oldFilePath)));
-					if (strpos($oldFileRelPath, "storage/") !== 0) {
-                                                throw new Exception("Attachment access denied");
-                                        }
+					//expect attachment only from storage directory
+					Vtiger_Utils::checkFileAccessIn($oldFilePath, ["storage"]);
+					
 					copy($oldFilePath, $newFilePath);
 
 					$sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?, ?, ?, ?, ?, ?, ?)";
diff --git a/vtlib/Vtiger/Utils.php b/vtlib/Vtiger/Utils.php
index e5415688d6a1410ef652541f26a2dad7fd109941..772ab948b42924afca4383aa55eb4cd48a0417c2 100644
--- a/vtlib/Vtiger/Utils.php
+++ b/vtlib/Vtiger/Utils.php
@@ -88,11 +88,21 @@ class Vtiger_Utils {
 	}
 
 	/** 
-	 * Function to check the file access is made within web root directory. 
+	 * Function to check the file access is made within web root directory.
 	 * @param String File path to check
 	 * @param Boolean False to avoid die() if check fails
 	 */
 	static function checkFileAccess($filepath, $dieOnFail=true) {
+		return checkFileAccessIn($filepath, null, $dieOnFail);
+	}
+
+	/** 
+	 * Function to check the file access is made within web root directory (with optional sub-directories)
+	 * @param String File path to check
+	 * @param Array Relative paths within web root directory.
+	 * @param Boolean False to avoid die() if check fails
+	 */
+	static function checkFileAccessIn($filepath, array $relpaths = null, $dieOnFail=true) {
 		global $root_directory;
 
 		// Set the base directory to compare with