[LON-CAPA-cvs] cvs: loncom /auth lonlogout.pm

[raeburn]

raeburn		Fri Aug 18 18:13:33 2017 EDT

  Modified files:              
    /loncom/auth	lonlogout.pm 
  Log:
  - Sanity checking
  
  
Index: loncom/auth/lonlogout.pm
diff -u loncom/auth/lonlogout.pm:1.50 loncom/auth/lonlogout.pm:1.51
--- loncom/auth/lonlogout.pm:1.50	Sat Feb 25 20:00:36 2017
+++ loncom/auth/lonlogout.pm	Fri Aug 18 18:13:33 2017
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Logout Handler
 #
-# $Id: lonlogout.pm,v 1.50 2017/02/25 20:00:36 raeburn Exp $
+# $Id: lonlogout.pm,v 1.51 2017/08/18 18:13:33 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -45,9 +45,11 @@
 use Apache::Constants qw(:common);
 use Apache::File;
 use Apache::lonnet;
+use Apache::loncommon;
 use Apache::lonmenu;
 use CGI::Cookie();
 use Apache::lonlocal;
+use LONCAPA qw(:DEFAULT :match); 
 
 sub handler {
     my $r = shift;
@@ -120,19 +122,32 @@
 						   $switch);
     } else {
         my $domain = $env{'user.domain'};
-        my $headextra;
-        if ($env{'request.sso.login'}
-            && defined($r->dir_config("lonSSOUserLogoutHeadFile_$domain"))) {
-            if (open(my $fh,$r->dir_config("lonSSOUserLogoutHeadFile_$domain"))) {
-                $headextra = join('',<$fh>);
-                close($fh);
-            }
-        }
-        if ($env{'request.sso.login'}
-            && defined($r->dir_config('lonSSOUserLogoutHeadFile'))) {
-            if (open(my $fh,$r->dir_config('lonSSOUserLogoutHeadFile'))) {
-                $headextra.= join('',<$fh>);
-                close($fh);
+        my ($headextra,$ssofile);
+        if ($env{'request.sso.login'}) {
+            my $londocroot = $r->dir_config('lonDocRoot');
+            if ($domain =~ /^$match_domain$/) {
+                if (defined($r->dir_config("lonSSOUserLogoutHeadFile_$domain"))) {
+                    $ssofile = '/'.&Apache::loncommon::clean_path($r->dir_config("lonSSOUserLogoutHeadFile_$domain"));
+                    if ($ssofile eq $r->dir_config("lonSSOUserLogoutHeadFile_$domain")) {
+                        if ($ssofile =~ /^\Q$londocroot\E/) {
+                            if (open(my $fh,"<$ssofile")) {
+                                $headextra = join('',<$fh>);
+                                close($fh);
+                            }
+                        }
+                    }
+                }
+            }
+            if (defined($r->dir_config('lonSSOUserLogoutHeadFile'))) {
+                $ssofile = '/'.&Apache::loncommon::clean_path($r->dir_config('lonSSOUserLogoutHeadFile'));
+                if ($ssofile eq $r->dir_config('lonSSOUserLogoutHeadFile')) {
+                    if ($ssofile =~ /^\Q$londocroot\E/) {
+                        if (open(my $fh,"<$ssofile")) {
+                            $headextra.= join('',<$fh>);
+                            close($fh);
+                        }
+                    }
+                }
             }
         }
 	$start_page=&Apache::loncommon::start_page('Logged Out',$headextra,