Index: openacs-4/packages/acs-kernel/acs-kernel.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-kernel/acs-kernel.info,v
diff -u -r1.41 -r1.42
--- openacs-4/packages/acs-kernel/acs-kernel.info	2 Oct 2003 18:58:30 -0000	1.41
+++ openacs-4/packages/acs-kernel/acs-kernel.info	3 Oct 2003 16:03:31 -0000	1.42
@@ -7,13 +7,13 @@
     <initial-install-p>t</initial-install-p>
     <singleton-p>t</singleton-p>
     
-    <version name="5.0d10" url="http://openacs.org/repository/download/apm/acs-kernel-5.0d10.apm">
+    <version name="5.0d11" url="http://openacs.org/repository/download/apm/acs-kernel-5.0d11.apm">
         <owner url="mailto:dhogaza@pacifier.com">Don Baccus</owner>
         <summary>Routines and data models providing the foundation for OpenACS-based Web services.</summary>
         <release-date>2003-09-25</release-date>
         <vendor url="http://openacs.org/">OpenACS</vendor>
 
-        <provides url="acs-kernel" version="5.0d10"/>
+        <provides url="acs-kernel" version="5.0d11"/>
 
         <callbacks>
         </callbacks>
@@ -59,6 +59,7 @@
             <parameter datatype="number"  min_n_values="1"  max_n_values="1"  name="RestrictLoginToSSLP"  default="1" description="Should login, register, and password update pages be restricted to HTTPS?" section_name="security"/>
             <parameter datatype="number"  min_n_values="1"  max_n_values="1"  name="ScreenName"  default="solicit" description="Can be 'none', 'solicit', or 'require'. If you say none, we will not ask users to provide a screen_name. If you say 'solicit', we will ask for one, but not require it. If you say 'require', we will not let users register or login without setting up a screen_name." section_name="Local Accounts"/>
             <parameter datatype="number"  min_n_values="1"  max_n_values="1"  name="ServeXQLFiles"  default="0" description="Should we serve .xql files (database query files) to browsers? Say 0 to not serve them, 1 to serve them. Typically you do not want to serve these files. Requires a server restart to take effect." section_name="request-processor"/>
+            <parameter datatype="string"  min_n_values="1"  max_n_values="1"  name="ExcludedFiles"  default="*/CVS/* *~" description="string match patterns for files which the request processor should never serve" section_name="request-processor"/>
             <parameter datatype="string"  min_n_values="1"  max_n_values="1"  name="SessionLifetime"  default="604800" description="how long after the last hit should we save information in the SessionLifetime table?" section_name="security"/>
             <parameter datatype="number"  min_n_values="1"  max_n_values="1"  name="SessionRenew"  default="300" description="How much time do we let elapse before renewing a session cookie? This should be less than SessionTimeout." section_name="security"/>
             <parameter datatype="string"  min_n_values="1"  max_n_values="1"  name="SessionSweepInterval"  default="3600" description="how often should we sweep for old stale sessions?" section_name="security"/>
Index: openacs-4/packages/acs-tcl/tcl/request-processor-init.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/request-processor-init.tcl,v
diff -u -r1.7 -r1.8
--- openacs-4/packages/acs-tcl/tcl/request-processor-init.tcl	25 Sep 2003 13:39:02 -0000	1.7
+++ openacs-4/packages/acs-tcl/tcl/request-processor-init.tcl	3 Oct 2003 16:03:31 -0000	1.8
@@ -152,7 +152,3 @@
     }
 }
 
-# Deny access to .xql URLs
-if { ![parameter::get -parameter ServeXQLFiles -package_id [ad_acs_kernel_id] -default 0] } {
-    ad_register_filter postauth GET *.xql request_denied_filter
-}
Index: openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl,v
diff -u -r1.48 -r1.49
--- openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl	3 Oct 2003 10:14:30 -0000	1.48
+++ openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl	3 Oct 2003 16:03:31 -0000	1.49
@@ -832,13 +832,15 @@
       return
     }
 
-    if {[info exists dir_index]} {
-      if { [nsv_get rp_directory_listing_p .] } {
-	ns_returnnotice 200 "Directory listing of $dir_index" \
-	    [rp_html_directory_listing $dir_index]
-	return
+    if {[info exists dir_index]
+        && ![string match */CVS/* $dir_index]
+    } {
+        if { [nsv_get rp_directory_listing_p .] } {
+            ns_returnnotice 200 "Directory listing of $dir_index" \
+                [rp_html_directory_listing $dir_index]
+              return
+          }
       }
-    }
 
     # Ok, we didn't find a normal file. Let's look for a path info style
     # thingy.
@@ -986,33 +988,45 @@
 }
 
 ad_proc -public rp_serve_concrete_file {file} {
-  Serves a file.
+    Serves a file.
 } {
-  set extension [file extension $file]
-  set startclicks [clock clicks]
+    set extension [file extension $file]
+    set startclicks [clock clicks]
 
-  if { [nsv_exists rp_extension_handlers $extension] } {
-    set handler [nsv_get rp_extension_handlers $extension]
+    if { [nsv_exists rp_extension_handlers $extension] } {
+        set handler [nsv_get rp_extension_handlers $extension]
 
-    if { [set errno [catch {
-      ad_try {
-	$handler
-      } ad_script_abort val {
-	# do nothing
-      }
-      rp_finish_serving_page
-      ad_call_proc_if_exists ds_add rp [list serve_file [list $file $handler] $startclicks [clock clicks]]
-    } error]] } {
-      global errorCode errorInfo
-      ad_call_proc_if_exists ds_add rp [list serve_file [list $file $handler] $startclicks [clock clicks] error "$errorCode: $errorInfo"]
-      return -code $errno -errorcode $errorCode -errorinfo $errorInfo $error
+        if { [set errno [catch {
+            ad_try {
+                $handler
+            } ad_script_abort val {
+                # do nothing
+            }
+            rp_finish_serving_page
+            ad_call_proc_if_exists ds_add rp [list serve_file [list $file $handler] $startclicks [clock clicks]]
+        } error]] } {
+            global errorCode errorInfo
+            ad_call_proc_if_exists ds_add rp [list serve_file [list $file $handler] $startclicks [clock clicks] error "$errorCode: $errorInfo"]
+            return -code $errno -errorcode $errorCode -errorinfo $errorInfo $error
+        }
+    } else {
+        # Some other random kind of file - guess the type and return it.
+
+        #  first check that we are not serving a forbidden file like a .xql, a backup or CVS file
+        foreach match [parameter::get -parameter ExcludedFiles -package_id [ad_acs_kernel_id] -default {}] {
+            if {[string match $match $file]} { 
+                ad_raise notfound
+            } 
+        } 
+        if {[string equal $extension ".xql"]
+            && ![parameter::get -parameter ServeXQLFiles -package_id [ad_acs_kernel_id] -default 0] } { 
+                ad_raise notfound
+        } else { 
+            set type [ns_guesstype $file]
+            ad_call_proc_if_exists ds_add rp [list serve_file [list $file $type] $startclicks [clock clicks]]
+            ns_returnfile 200 $type $file
+        } 
     }
-  } else {
-    # Some other random kind of file - guess the type and return it.
-    set type [ns_guesstype $file]
-    ad_call_proc_if_exists ds_add rp [list serve_file [list $file $type] $startclicks [clock clicks]]
-    ns_returnfile 200 $type $file
-  }
 }
 
 ad_proc -private rp_concrete_file {
@@ -1400,7 +1414,5 @@
         "Forbidden URL" \
         "<blockquote>No, we're not going to show you this file</blockquote>"
 
-    ns_return 200 text/html $output
-
     return filter_return
 }