diff --git i/src/gl-auth-command w/src/gl-auth-command
index 1af4232..f3449a5 100755
--- i/src/gl-auth-command
+++ w/src/gl-auth-command
@@ -154,6 +154,7 @@ die "server is in slave mode; you can only fetch\n"
 if ($GL_ADC_PATH and -d $GL_ADC_PATH) {
     my ($cmd, @args) = split ' ', $ENV{SSH_ORIGINAL_COMMAND};
     if (-x "$GL_ADC_PATH/$cmd") {
+        die "I don't like $cmd\n" if $cmd =~ /\.\./;
         # yes this is rather strict, sorry.
         do { die "I don't like $_\n" unless $_ =~ $ADC_CMD_ARGS_PATT } for ($cmd, @args);
         &log_it("$GL_ADC_PATH/$ENV{SSH_ORIGINAL_COMMAND}");