--- loncom/lond	2016/08/06 20:05:01	1.489.2.19
+++ loncom/lond	2016/08/11 09:52:39	1.489.2.20
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.489.2.19 2016/08/06 20:05:01 raeburn Exp $
+# $Id: lond,v 1.489.2.20 2016/08/11 09:52:39 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -61,7 +61,7 @@ my $DEBUG = 0;		       # Non zero to ena
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.489.2.19 $'; #' stupid emacs
+my $VERSION='$Revision: 1.489.2.20 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid="default";
 my $currentdomainid;
@@ -5295,7 +5295,9 @@ sub retrieve_auto_file_handler {
     my ($filename)   = split(/:/, $tail);
 
     my $source = $perlvar{'lonDaemons'}.'/tmp/'.$filename;
-    if ( (-e $source) && ($filename ne '') ) {
+    if ($filename =~m{/\.\./}) {
+        &Failure($client, "refused\n", $userinput);
+    } elsif ( (-e $source) && ($filename ne '') ) {
 	my $reply = '';
 	if (open(my $fh,$source)) {
 	    while (<$fh>) {