Index: openacs-4/packages/acs-templating/tcl/file-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/tcl/file-procs.tcl,v
diff -u -N -r1.12.2.10 -r1.12.2.11
--- openacs-4/packages/acs-templating/tcl/file-procs.tcl	27 Nov 2022 17:45:28 -0000	1.12.2.10
+++ openacs-4/packages/acs-templating/tcl/file-procs.tcl	2 Mar 2023 17:16:55 -0000	1.12.2.11
@@ -136,6 +136,14 @@
 
     @return The requested property from the file datatype structure.
 } {
+    if {![string is list $file_list]} {
+        #
+        # An invalid list may come from a file_list supplied by a
+        # malicious attacker.  Return empty in this case.
+        #
+        ad_log warning "Invalid list '$file_list'"
+        return
+    }
 
     switch -- $what {
         filename {