Index: openacs-4/packages/xowiki/tcl/package-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/package-procs.tcl,v
diff -u -N -r1.332.2.20 -r1.332.2.21
--- openacs-4/packages/xowiki/tcl/package-procs.tcl	28 Jun 2019 09:46:20 -0000	1.332.2.20
+++ openacs-4/packages/xowiki/tcl/package-procs.tcl	28 Jun 2019 10:06:36 -0000	1.332.2.21
@@ -1284,14 +1284,13 @@
   }
 
   Package instproc normalize_path {name} {
+    #
+    # Don't allow any adressing outside of the jail.
+    #
+    # ns_normalizepath always adds a leading "/", so remove this.
+    #
     set nn [ns_normalizepath $name]
-    if {[string range $name 0 0] ne "/" && [string range $nn 0 0] eq "/"} {
-      set name [string range $nn 1 end]
-    } else {
-      set name $nn
-    }
-    ns_log notice "=== normalized <$name>"
-    return $name
+    return [string range $nn 1 end]
   }
 
   #view-default/../../../etc/hosts