Index: openacs-4/packages/acs-tcl/acs-tcl.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/acs-tcl.info,v
diff -u -N -r1.70.2.12 -r1.70.2.13
--- openacs-4/packages/acs-tcl/acs-tcl.info	29 Apr 2016 07:56:56 -0000	1.70.2.12
+++ openacs-4/packages/acs-tcl/acs-tcl.info	15 May 2016 18:22:49 -0000	1.70.2.13
@@ -9,16 +9,16 @@
     <implements-subsite-p>f</implements-subsite-p>
     <inherit-templates-p>t</inherit-templates-p>
     
-    <version name="5.9.1d4" url="http://openacs.org/repository/download/apm/acs-tcl-5.9.1d4.apm">
+    <version name="5.9.1d5" url="http://openacs.org/repository/download/apm/acs-tcl-5.9.1d5.apm">
         <owner url="http://openacs.org">OpenACS</owner>
         <summary>The Kernel Tcl API library.</summary>
-        <release-date>2015-10-04</release-date>
+        <release-date>2016-05-15</release-date>
         <vendor url="http://openacs.org">OpenACS</vendor>
         <description format="text/html">Contains all the core Tcl API, including the request processor, security and session management, permissions, site-nodes, package management infrastructure, etc.</description>
         <license>GPL version 2</license>
         <maturity>3</maturity>
 
-        <provides url="acs-tcl" version="5.9.1d4"/>
+        <provides url="acs-tcl" version="5.9.1d5"/>
         <requires url="acs-bootstrap-installer" version="5.9.0"/>
         <requires url="acs-kernel" version="5.9.1d4"/>
 
Index: openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl,v
diff -u -N -r1.118.2.13 -r1.118.2.14
--- openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl	15 Mar 2016 20:15:41 -0000	1.118.2.13
+++ openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl	15 May 2016 18:22:49 -0000	1.118.2.14
@@ -585,6 +585,21 @@
     set root [root_of_host [ad_host]]
     set ad_conn_url [ad_conn url]
 
+    if {[string first [encoding convertto utf-8 \x00] $ad_conn_url] > -1} {
+        ad_log warning "BAD CHAR in URL $ad_conn_url // rp_filter $why"
+        # reset [ad_conn url], otherwise we might run into a problem when rendering the error page
+        ad_conn -set url ${root}/
+        ad_page_contract_handle_datasource_error "URL contains invalid characters"
+        return filter_return
+    }
+    if {[string length $ad_conn_url] > 132} {
+        ad_log warning "URL TOO LONG: $ad_conn_url // rp_filter $why"
+        # reset [ad_conn url], otherwise we might run into a problem when rendering the error page
+        ad_conn -set url ${root}/
+        ad_page_contract_handle_datasource_error "URL is longer than allowed"
+        return filter_return
+    }
+
     # 2. handle special case: if the root is a prefix of the URL, 
     #                         remove this prefix from the URL, and redirect.
     if { $root ne "" } {
@@ -665,14 +680,9 @@
     }
     rp_debug -ns_log_level debug -debug t "rp_filter: setting up request: [ns_conn method] [ns_conn url] [ns_conn query]"
 
-    if {[string length $ad_conn_url] >= 132} {
-        ad_log warning "requested URL is too long ([string length $ad_conn_url] bytes, max 132); url=$ad_conn_url; reset url to /"
-        set ad_conn_url /
-    }
-    
     if { [catch { array set node [site_node::get -url $ad_conn_url] } errmsg] } {
         # log and do nothing
-        ad_log error "error within rp_filter: $errmsg"
+        ad_log error "error within rp_filter when getting site node: $errmsg"
     } else {
 
         if {$node(url) eq "$ad_conn_url/"} {