--- loncom/cgi/plot.gif	2001/12/21 14:43:50	1.6
+++ loncom/cgi/plot.gif	2001/12/21 16:10:58	1.7
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-# $Id: plot.gif,v 1.6 2001/12/21 14:43:50 matthew Exp $
+# $Id: plot.gif,v 1.7 2001/12/21 16:10:58 matthew Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -29,8 +29,13 @@ use strict;
 $|=1;
 
 my $tmpdir = '/home/httpd/perl/tmp/';
-my $filename = $tmpdir . $ENV{'QUERY_STRING'};
+my $filename = $ENV{'QUERY_STRING'};
 
+if ($filename =~ /\// |
+    $filename !~ /_plot.data$/) {
+    die;
+}
+$filename = $tmpdir . $filename;
 if (-e $filename) {
     open PLOT, "gnuplot $filename |";
     print <<"END";