Index: openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl,v
diff -u -r1.113.2.2 -r1.113.2.3
--- openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl	3 Sep 2013 08:08:38 -0000	1.113.2.2
+++ openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl	13 Sep 2013 09:40:38 -0000	1.113.2.3
@@ -1120,10 +1120,21 @@
 
   # None of the extensions from ExtensionPrecedence were found - just pick
   # the first in alphabetical order.
-  if { [llength $files] > 0 } {
-    set files [lsort $files]
-    return [lindex $files 0]
-  }
+  #
+  # GN: OpenACS was trying to serve files with arbitrary extensions
+  # (i.e. not included in the kernel parameter ExtensionPrecedence) in
+  # case the requested file was not found.  This is quite dangerous
+  # and breaks e.g. the listing of openacs.org/repository (which is a
+  # directory), since the directory is moved every night into
+  # openacs.org/repository.bak. With the given logic, it tries to
+  # server the .bak directory as a file (which does of course not
+  # work). That blind logic is not inecessary, and is actually a
+  # potential attack vector.
+  #
+  #if { [llength $files] > 0 } {
+  #  set files [lsort $files]
+  #  return [lindex $files 0]
+  #}
 
   # Nada!
   return ""