--- loncom/publisher/lonupload.pm	2015/09/11 20:12:30	1.67
+++ loncom/publisher/lonupload.pm	2017/11/12 23:01:00	1.68
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Handler to upload files into construction space
 #
-# $Id: lonupload.pm,v 1.67 2015/09/11 20:12:30 raeburn Exp $
+# $Id: lonupload.pm,v 1.68 2017/11/12 23:01:00 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -130,7 +130,7 @@ use Apache::lonnet;
 use HTML::Entities();
 use Apache::lonlocal;
 use Apache::lonnet;
-use LONCAPA();
+use LONCAPA qw(:DEFAULT :match);
 
 my $DEBUG=0;
 
@@ -150,8 +150,12 @@ sub upfile_store {
     
     chomp($env{'form.upfile'});
   
-    my $datatoken=$env{'user.name'}.'_'.$env{'user.domain'}.
-		  '_upload_'.$fname.'_'.time.'_'.$$;
+    my $datatoken;
+    if (($env{'user.name'} =~ /^$match_username$/) && ($env{'user.domain'} =~ /^$match_domain$/)) {
+        $datatoken=$env{'user.name'}.'_'.$env{'user.domain'}.
+                   '_upload_'.$fname.'_'.time.'_'.$$;
+    }
+    return if ($datatoken eq '');
     {
        my $fh=Apache::File->new('>'.$r->dir_config('lonDaemons').
                                    '/tmp/'.$datatoken.'.tmp');
@@ -279,7 +283,10 @@ sub phasetwo {
 	$base    = &HTML::Entities::encode($base,'<>&"');
 	my $url  = $path."/".$base; 
 	&Debug($r, "URL is now ".$url);
-	my $datatoken=$env{'form.datatoken'};
+	my $datatoken;
+        if ($env{'form.datatoken'} =~ /^$match_username\_$match_domain\_upload_\w*_\d+_\d+$/) {
+            $datatoken = $env{'form.datatoken'};
+        }
 	if (($fn) && ($datatoken)) {
             if ($env{'form.cancel'}) {
                 my $source=$r->dir_config('lonDaemons').'/tmp/'.$datatoken.'.tmp';