--- loncom/interface/portfolio.pm	2014/12/01 22:52:49	1.254
+++ loncom/interface/portfolio.pm	2018/09/14 21:01:02	1.254.2.3
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # portfolio browser
 #
-# $Id: portfolio.pm,v 1.254 2014/12/01 22:52:49 raeburn Exp $
+# $Id: portfolio.pm,v 1.254.2.3 2018/09/14 21:01:02 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -199,7 +199,8 @@ sub display_portfolio_usage {
                     .$helpitem
                     .'</div>'
                     .'<div>'
-                    .&Apache::lonhtmlcommon::display_usage($current_disk_usage,$disk_quota)
+                    .&Apache::lonhtmlcommon::display_usage($current_disk_usage,
+                                                           $disk_quota,'portfolio')
                     .'</div>');
 }
 
@@ -1068,7 +1069,7 @@ sub build_access_summary {
                     $r->print(&mt('Users: ').$curr_user_list);
                 } elsif ($scope eq 'ip') {
                     my $curr_ips_list = &sort_ips($content->{'ip'});
-                    $r->print(&mt('IP(s): ').$curr_ips_list);
+                    $r->print(&mt('IP(s):').' '.$curr_ips_list);
                 } else {
                     $r->print('&nbsp;');
                 }
@@ -2567,7 +2568,7 @@ sub get_quota {
     } else {
         $disk_quota = &Apache::loncommon::get_user_quota($env{'user.name'},
                                     $env{'user.domain'}); #expressed in MB
-        $disk_quota = 1000 * $disk_quota; # convert from MB to kB
+        $disk_quota = 1024 * $disk_quota; # convert from MB to kB
     }
     return $disk_quota;
 }
@@ -2597,6 +2598,45 @@ STATE
     return $state;
 }
 
+sub valid_container {
+    my ($uname,$udom,$group) = @_;
+    my $container_prefix;
+    if ($group ne '') {
+        $container_prefix = "/uploaded/$udom/$uname/groups/$group/portfolio";
+    } else {
+        $container_prefix = "/uploaded/$udom/$uname/portfolio";
+    }
+    if ($env{'form.currentpath'}) {
+        $container_prefix .= $env{'form.currentpath'};
+    } else {
+        $container_prefix .= '/';
+    }
+    if ($env{'form.container'} =~ m{^\Q$container_prefix\E(.+)$}) {
+        my $filename = $1;
+        if ($filename eq &Apache::lonnet::clean_filename($filename)) {
+            return 1;
+        }
+    }
+    return;
+}
+
+sub invalid_parms {
+    my ($r,$url,$currentpath) = @_;
+    my $escpath = &HTML::Entities::encode($currentpath,'&<>"');
+    my $rtnlink = '<a href="'.$url;
+    if ($url =~ /\?/) {
+        $rtnlink .= '&';
+    } else {
+        $rtnlink .= '?';
+    }
+    $rtnlink .= 'currentpath='.$escpath;
+    $rtnlink .= '">'.&mt('Return to directory').'</a>';
+    $r->print('<h3>'.&mt('Action disallowed').'</h3>');
+    $r->print(&mt('Some of the data included with this request were invalid'));
+    $r->print('<br />'.$rtnlink);
+    return;
+}
+
 sub handler {
     # this handles file management
     my $r = shift;
@@ -2742,6 +2782,21 @@ sub handler {
             $r->print(&Apache::loncommon::end_page());
             return OK;
         }
+    }
+    if (($env{'form.currentpath'}) && ($env{'form.currentpath'} ne '/')) {
+        my $clean_currentpath = '/'.&Apache::loncommon::clean_path($env{'form.currentpath'}).'/';
+        unless ($env{'form.currentpath'} eq $clean_currentpath) {
+            &invalid_parms($r,$url);
+            $r->print(&Apache::loncommon::end_page());
+            return OK;
+        }
+    }
+    if ($env{'form.container'}) {
+        unless (&valid_container($uname,$udom,$group)) {
+            &invalid_parms($r,$url,$env{'form.currentpath'});
+            $r->print(&Apache::loncommon::end_page());
+            return OK;
+        }
     }
     if (($env{'form.storeupl'}) & (!$env{'form.uploaddoc.filename'})){
    	$r->print(