--- loncom/interface/portfolio.pm	2017/05/19 23:41:28	1.258
+++ loncom/interface/portfolio.pm	2017/08/12 01:32:14	1.259
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # portfolio browser
 #
-# $Id: portfolio.pm,v 1.258 2017/05/19 23:41:28 raeburn Exp $
+# $Id: portfolio.pm,v 1.259 2017/08/12 01:32:14 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -2615,6 +2615,45 @@ sub free_space {
     return $free_space;
 }
 
+sub valid_container {
+    my ($uname,$udom,$group) = @_;
+    my $container_prefix;
+    if ($group ne '') {
+        $container_prefix = "/uploaded/$udom/$uname/groups/$group/portfolio";
+    } else {
+        $container_prefix = "/uploaded/$udom/$uname/portfolio";
+    }
+    if ($env{'form.currentpath'}) {
+        $container_prefix .= $env{'form.currentpath'};
+    } else {
+        $container_prefix .= '/';
+    }
+    if ($env{'form.container'} =~ m{^\Q$container_prefix\E(.+)$}) {
+        my $filename = $1;
+        if ($filename eq &Apache::lonnet::clean_filename($filename)) {
+            return 1;
+        }
+    }
+    return;
+}
+
+sub invalid_parms {
+    my ($r,$url,$currentpath) = @_;
+    my $escpath = &HTML::Entities::encode($currentpath,'&<>"');
+    my $rtnlink = '<a href="'.$url;
+    if ($url =~ /\?/) {
+        $rtnlink .= '&';
+    } else {
+        $rtnlink .= '?';
+    }
+    $rtnlink .= 'currentpath='.$escpath;
+    $rtnlink .= '">'.&mt('Return to directory').'</a>';
+    $r->print('<h3>'.&mt('Action disallowed').'</h3>');
+    $r->print(&mt('Some of the data included with this request were invalid'));
+    $r->print('<br />'.$rtnlink);
+    return;
+}
+
 sub handler {
     # this handles file management
     my $r = shift;
@@ -2763,6 +2802,21 @@ sub handler {
             $r->print(&Apache::loncommon::end_page());
             return OK;
         }
+    }
+    if (($env{'form.currentpath'}) && ($env{'form.currentpath'} ne '/')) {
+        my $clean_currentpath = '/'.&Apache::loncommon::clean_path($env{'form.currentpath'}).'/';
+        unless ($env{'form.currentpath'} eq $clean_currentpath) {
+            &invalid_parms($r,$url);
+            $r->print(&Apache::loncommon::end_page());
+            return OK;
+        }
+    }
+    if ($env{'form.container'}) {
+        unless (&valid_container($uname,$udom,$group)) {
+            &invalid_parms($r,$url,$env{'form.currentpath'});
+            $r->print(&Apache::loncommon::end_page());
+            return OK;
+        }
     }
     if (($env{'form.storeupl'}) & (!$env{'form.uploaddoc.filename'})){
    	$r->print(