--- loncom/lond	2016/09/24 19:16:57	1.489.2.23
+++ loncom/lond	2016/09/24 19:44:15	1.489.2.24
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.489.2.23 2016/09/24 19:16:57 raeburn Exp $
+# $Id: lond,v 1.489.2.24 2016/09/24 19:44:15 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -64,7 +64,7 @@ my $DEBUG = 0;		       # Non zero to ena
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.489.2.23 $'; #' stupid emacs
+my $VERSION='$Revision: 1.489.2.24 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid="default";
 my $currentdomainid;
@@ -5463,7 +5463,7 @@ sub auto_export_grades_handler {
 #    $cmd      - The command that got us dispatched.
 #    $tail     - The tail of the command.  In our case this is a colon 
 #                separated list that will be split into:
-#                $filename - The name of the file to remove.
+#                $filename - The name of the file to retrieve.
 #                            The filename is given as a path relative to
 #                            the LonCAPA temp file directory.
 #    $client   - Socket open on the client.
@@ -5479,6 +5479,8 @@ sub retrieve_auto_file_handler {
     my $source = $perlvar{'lonDaemons'}.'/tmp/'.$filename;
     if ($filename =~m{/\.\./}) {
         &Failure($client, "refused\n", $userinput);
+    } elsif ($filename !~ /^$LONCAPA::match_domain\_$LONCAPA::match_courseid\_.+_classlist\.xml$/) {
+        &Failure($client, "refused\n", $userinput);
     } elsif ( (-e $source) && ($filename ne '') ) {
 	my $reply = '';
 	if (open(my $fh,$source)) {