--- loncom/auth/lonlogout.pm	2015/03/12 00:50:46	1.45.2.3
+++ loncom/auth/lonlogout.pm	2018/05/02 19:02:27	1.45.2.3.2.2
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Logout Handler
 #
-# $Id: lonlogout.pm,v 1.45.2.3 2015/03/12 00:50:46 raeburn Exp $
+# $Id: lonlogout.pm,v 1.45.2.3.2.2 2018/05/02 19:02:27 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -45,9 +45,11 @@ use strict;
 use Apache::Constants qw(:common);
 use Apache::File;
 use Apache::lonnet;
+use Apache::loncommon;
 use Apache::lonmenu;
 use CGI::Cookie();
 use Apache::lonlocal;
+use LONCAPA qw(:DEFAULT :match);
 
 sub handler {
     my $r = shift;
@@ -105,19 +107,32 @@ sub handler {
 						   $switch);
     } else {
         my $domain = $env{'user.domain'};
-        my $headextra;
-        if ($env{'request.sso.login'}
-            && defined($r->dir_config("lonSSOUserLogoutHeadFile_$domain"))) {
-            if (open(my $fh,$r->dir_config("lonSSOUserLogoutHeadFile_$domain"))) {
-                $headextra = join('',<$fh>);
-                close($fh);
-            }
-        }
-        if ($env{'request.sso.login'}
-            && defined($r->dir_config('lonSSOUserLogoutHeadFile'))) {
-            if (open(my $fh,$r->dir_config('lonSSOUserLogoutHeadFile'))) {
-                $headextra.= join('',<$fh>);
-                close($fh);
+        my ($headextra,$ssofile);
+        if ($env{'request.sso.login'}) {
+            my $londocroot = $r->dir_config('lonDocRoot');
+            if ($domain =~ /^$match_domain$/) {
+                if (defined($r->dir_config("lonSSOUserLogoutHeadFile_$domain"))) {
+                    $ssofile = '/'.&Apache::loncommon::clean_path($r->dir_config("lonSSOUserLogoutHeadFile_$domain"));
+                    if ($ssofile eq $r->dir_config("lonSSOUserLogoutHeadFile_$domain")) {
+                        if ($ssofile =~ /^\Q$londocroot\E/) {
+                            if (open(my $fh,'<',$ssofile)) {
+                                $headextra = join('',<$fh>);
+                                close($fh);
+                            }
+                        }
+                    }
+                }
+            }
+            if (defined($r->dir_config('lonSSOUserLogoutHeadFile'))) {
+                $ssofile = '/'.&Apache::loncommon::clean_path($r->dir_config('lonSSOUserLogoutHeadFile'));
+                if ($ssofile eq $r->dir_config('lonSSOUserLogoutHeadFile')) {
+                    if ($ssofile =~ /^\Q$londocroot\E/) {
+                        if (open(my $fh,'<',$ssofile)) {
+                            $headextra.= join('',<$fh>);
+                            close($fh);
+                        }
+                    }
+                }
             }
         }
 	$start_page=&Apache::loncommon::start_page('Logged Out',$headextra,
@@ -181,14 +196,14 @@ Due to security reasons in new web brows
         }
         if ($env{'request.sso.login'}
 	    && defined($r->dir_config("lonSSOUserLogoutMessageFile_$domain"))) {
-	    if (open(my $fh,$r->dir_config("lonSSOUserLogoutMessageFile_$domain"))) {
+	    if (open(my $fh,'<',$r->dir_config("lonSSOUserLogoutMessageFile_$domain"))) {
 	        $relogmessage.= join('',<$fh>);
                 close($fh);
             }
 	}
 	if ($env{'request.sso.login'}
 	    && defined($r->dir_config('lonSSOUserLogoutMessageFile'))) {
-	    if (open(my $fh,$r->dir_config('lonSSOUserLogoutMessageFile'))) {
+	    if (open(my $fh,'<',$r->dir_config('lonSSOUserLogoutMessageFile'))) {
 	        $relogmessage.= join('',<$fh>);
                 close($fh);
             }