--- loncom/lond	2016/09/12 20:20:44	1.525
+++ loncom/lond	2016/09/20 23:48:07	1.526
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.525 2016/09/12 20:20:44 raeburn Exp $
+# $Id: lond,v 1.526 2016/09/20 23:48:07 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -64,7 +64,7 @@ my $DEBUG = 0;		       # Non zero to ena
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.525 $'; #' stupid emacs
+my $VERSION='$Revision: 1.526 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid="default";
 my $currentdomainid;
@@ -5667,7 +5667,7 @@ sub auto_export_grades_handler {
 #    $cmd      - The command that got us dispatched.
 #    $tail     - The tail of the command.  In our case this is a colon 
 #                separated list that will be split into:
-#                $filename - The name of the file to remove.
+#                $filename - The name of the file to retrieve.
 #                            The filename is given as a path relative to
 #                            the LonCAPA temp file directory.
 #    $client   - Socket open on the client.
@@ -5684,6 +5684,8 @@ sub retrieve_auto_file_handler {
 
     if ($filename =~m{/\.\./}) {
         &Failure($client, "refused\n", $userinput);
+    } elsif ($filename !~ /^$LONCAPA::match_domain\_$LONCAPA::match_courseid\_.+_classlist\.xml$/) {
+        &Failure($client, "refused\n", $userinput);
     } elsif ( (-e $source) && ($filename ne '') ) {
 	my $reply = '';
 	if (open(my $fh,$source)) {