--- loncom/auth/lonlogout.pm	2017/02/25 20:00:36	1.50
+++ loncom/auth/lonlogout.pm	2018/05/01 13:47:53	1.53
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Logout Handler
 #
-# $Id: lonlogout.pm,v 1.50 2017/02/25 20:00:36 raeburn Exp $
+# $Id: lonlogout.pm,v 1.53 2018/05/01 13:47:53 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -45,9 +45,11 @@ use strict;
 use Apache::Constants qw(:common);
 use Apache::File;
 use Apache::lonnet;
+use Apache::loncommon;
 use Apache::lonmenu;
 use CGI::Cookie();
 use Apache::lonlocal;
+use LONCAPA qw(:DEFAULT :match);
 
 sub handler {
     my $r = shift;
@@ -98,7 +100,7 @@ sub handler {
 			    -value   => '',
 			    -expires => '-10y',);
     $r->headers_out->add('Set-cookie' => $c);
-    if (($name eq 'lonID') && ($env{'user.linkeenv'})) {
+    if (($name eq 'lonID') && ($env{'user.linkedenv'})) {
         my $other = new CGI::Cookie(-name    => 'lonLinkID',
                                     -value   => '',
                                     -expires => '-10y',);
@@ -120,19 +122,32 @@ sub handler {
 						   $switch);
     } else {
         my $domain = $env{'user.domain'};
-        my $headextra;
-        if ($env{'request.sso.login'}
-            && defined($r->dir_config("lonSSOUserLogoutHeadFile_$domain"))) {
-            if (open(my $fh,$r->dir_config("lonSSOUserLogoutHeadFile_$domain"))) {
-                $headextra = join('',<$fh>);
-                close($fh);
-            }
-        }
-        if ($env{'request.sso.login'}
-            && defined($r->dir_config('lonSSOUserLogoutHeadFile'))) {
-            if (open(my $fh,$r->dir_config('lonSSOUserLogoutHeadFile'))) {
-                $headextra.= join('',<$fh>);
-                close($fh);
+        my ($headextra,$ssofile);
+        if ($env{'request.sso.login'}) {
+            my $londocroot = $r->dir_config('lonDocRoot');
+            if ($domain =~ /^$match_domain$/) {
+                if (defined($r->dir_config("lonSSOUserLogoutHeadFile_$domain"))) {
+                    $ssofile = '/'.&Apache::loncommon::clean_path($r->dir_config("lonSSOUserLogoutHeadFile_$domain"));
+                    if ($ssofile eq $r->dir_config("lonSSOUserLogoutHeadFile_$domain")) {
+                        if ($ssofile =~ /^\Q$londocroot\E/) {
+                            if (open(my $fh,'<',$ssofile)) {
+                                $headextra = join('',<$fh>);
+                                close($fh);
+                            }
+                        }
+                    }
+                }
+            }
+            if (defined($r->dir_config('lonSSOUserLogoutHeadFile'))) {
+                $ssofile = '/'.&Apache::loncommon::clean_path($r->dir_config('lonSSOUserLogoutHeadFile'));
+                if ($ssofile eq $r->dir_config('lonSSOUserLogoutHeadFile')) {
+                    if ($ssofile =~ /^\Q$londocroot\E/) {
+                        if (open(my $fh,'<',$ssofile)) {
+                            $headextra.= join('',<$fh>);
+                            close($fh);
+                        }
+                    }
+                }
             }
         }
 	$start_page=&Apache::loncommon::start_page('Logged Out',$headextra,
@@ -195,14 +210,14 @@ Due to security reasons in new web brows
         }
         if ($env{'request.sso.login'}
 	    && defined($r->dir_config("lonSSOUserLogoutMessageFile_$domain"))) {
-	    if (open(my $fh,$r->dir_config("lonSSOUserLogoutMessageFile_$domain"))) {
+	    if (open(my $fh,'<',$r->dir_config("lonSSOUserLogoutMessageFile_$domain"))) {
 	        $relogmessage.= join('',<$fh>);
                 close($fh);
             }
 	}
 	if ($env{'request.sso.login'}
 	    && defined($r->dir_config('lonSSOUserLogoutMessageFile'))) {
-	    if (open(my $fh,$r->dir_config('lonSSOUserLogoutMessageFile'))) {
+	    if (open(my $fh,'<',$r->dir_config('lonSSOUserLogoutMessageFile'))) {
 	        $relogmessage.= join('',<$fh>);
                 close($fh);
             }