--- includes/common.inc	2006-07-19 02:00:10.000000000 -0700
+++ includes/common_new.inc	2006-07-27 20:47:48.000000000 -0700
@@ -1018,7 +1018,10 @@ function url($path = NULL, $query = NULL
 
   // The special path '<front>' links to the default front page.
   if (!empty($path) && $path != '<front>') {
-    $path = drupal_get_path_alias($path);
+    // disallow paths that cannot be aliased
+    if (drupal_alias_allowed($path)) {
+      $path = drupal_get_path_alias($path);
+    }  
     $path = drupal_urlencode($path);
     if (!$clean_url) {
       if (isset($query)) {
@@ -1047,6 +1050,28 @@ function url($path = NULL, $query = NULL
   }
 }
 
+/** 
+ * Check a path to see if it can be aliased.
+ * @param $path
+ *   The Drupal path being linked to, such as "admin/node", or an existing URL
+ *   like "http://drupal.org/". 
+ * @return
+ * Boolean TRUE if the alias is allowed. 
+ * FALSE if disallowed.
+ **/
+
+function drupal_alias_allowed($path) {
+  $allowed = variable_get('path_aliases_allowed', array());
+  $lookup = explode('/', $path);
+  $root = $lookup[0];
+  if (empty($allowed) || $path == $_GET['q'] || in_array($root, $allowed)) {
+    return TRUE;
+  }
+  else {
+    return FALSE;
+  }  
+}
+
 /**
  * Format an attribute string to insert in a tag.
  *