--- loncom/lond	2016/05/08 19:05:10	1.520
+++ loncom/lond	2016/05/08 20:48:35	1.521
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.520 2016/05/08 19:05:10 raeburn Exp $
+# $Id: lond,v 1.521 2016/05/08 20:48:35 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -64,7 +64,7 @@ my $DEBUG = 0;		       # Non zero to ena
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.520 $'; #' stupid emacs
+my $VERSION='$Revision: 1.521 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid="default";
 my $currentdomainid;
@@ -5482,7 +5482,10 @@ sub retrieve_auto_file_handler {
     my ($filename)   = split(/:/, $tail);
 
     my $source = $perlvar{'lonDaemons'}.'/tmp/'.$filename;
-    if ( (-e $source) && ($filename ne '') ) {
+
+    if ($filename =~m{/\.\./}) {
+        &Failure($client, "refused\n", $userinput);
+    } elsif ( (-e $source) && ($filename ne '') ) {
 	my $reply = '';
 	if (open(my $fh,$source)) {
 	    while (<$fh>) {