Index: scheduler/client.c =================================================================== --- a/scheduler/client.c (revision 11597) +++ b/scheduler/client.c (working copy) @@ -3316,6 +3316,14 @@ return (0); /* + * Check for "<" or quotes in the path and reject since this is probably + * someone trying to inject HTML... + */ + + if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL) + return (0); + + /* * Check for "/.." in the path... */