Index: openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl,v
diff -u -r1.102 -r1.103
--- openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl	11 Mar 2010 11:03:01 -0000	1.102
+++ openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl	17 Oct 2010 21:06:09 -0000	1.103
@@ -869,6 +869,12 @@
         set extra_url [ad_conn extra_url]
         if { $match_prefix ne "" } {
             if { [string first $match_prefix $extra_url] == 0 } {
+                # An empty root indicates we should reject the attempted reference.  This
+                # is used to block references to embeded package [sitewide-]admin pages that
+                # avoid the request processor permission check
+                if { $root eq "" } {
+                    break
+                }
                 set extra_url [string trimleft \
                     [string range $extra_url [string length $match_prefix] end] /]
             } else {