Index: /trunk/src/org/openstreetmap/josm/actions/OpenLocationAction.java
===================================================================
--- /trunk/src/org/openstreetmap/josm/actions/OpenLocationAction.java	(revision 7748)
+++ /trunk/src/org/openstreetmap/josm/actions/OpenLocationAction.java	(revision 7749)
@@ -131,8 +131,9 @@
      * Replies the list of download tasks accepting the given url.
      * @param url The URL to open
+     * @param isRemotecontrol True if download request comes from remotecontrol.
      * @return The list of download tasks accepting the given url.
      * @since 5691
      */
-    public Collection<DownloadTask> findDownloadTasks(final String url) {
+    public Collection<DownloadTask> findDownloadTasks(final String url, boolean isRemotecontrol) {
         List<DownloadTask> result = new ArrayList<>();
         for (Class<? extends DownloadTask> taskClass : downloadTasks) {
@@ -140,5 +141,5 @@
                 try {
                     DownloadTask task = taskClass.getConstructor().newInstance();
-                    if (task.acceptsUrl(url)) {
+                    if (task.acceptsUrl(url, isRemotecontrol)) {
                         result.add(task);
                     }
@@ -179,5 +180,5 @@
     public void openUrl(boolean new_layer, final String url) {
         PleaseWaitProgressMonitor monitor = new PleaseWaitProgressMonitor(tr("Download Data"));
-        Collection<DownloadTask> tasks = findDownloadTasks(url);
+        Collection<DownloadTask> tasks = findDownloadTasks(url, false);
         DownloadTask task = null;
         Future<?> future = null;
Index: /trunk/src/org/openstreetmap/josm/actions/downloadtasks/AbstractDownloadTask.java
===================================================================
--- /trunk/src/org/openstreetmap/josm/actions/downloadtasks/AbstractDownloadTask.java	(revision 7748)
+++ /trunk/src/org/openstreetmap/josm/actions/downloadtasks/AbstractDownloadTask.java	(revision 7749)
@@ -68,5 +68,4 @@
 
     // Can be overridden for more complex checking logic
-    @Override
     public boolean acceptsUrl(String url) {
         if (url==null) return false;
@@ -77,4 +76,28 @@
         }
         return false;
+    }
+
+    /**
+     * Check / decide if the task is safe for remotecontrol.
+     * 
+     * Keep in mind that a potential attacker has full control over the content
+     * of the file that will be downloaded.
+     * If it is possible to run arbitrary code or write to the local file
+     * system, then the task is (obviously) not save for remote execution.
+     * 
+     * The default value is false = unsafe. Override in a subclass to
+     * allow running the task via remotecontol.
+     * 
+     * @return true if it is safe to download and open any file of the
+     * corresponding format, false otherwise
+     */
+    public boolean isSafeForRemotecontrolRequests() {
+        return false;
+    }
+
+    @Override
+    public boolean acceptsUrl(String url, boolean isRemotecontrol) {
+        if (isRemotecontrol && !isSafeForRemotecontrolRequests()) return false;
+        return acceptsUrl(url);
     }
 
Index: /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadGpsTask.java
===================================================================
--- /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadGpsTask.java	(revision 7748)
+++ /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadGpsTask.java	(revision 7749)
@@ -198,4 +198,9 @@
     }
 
+    @Override
+    public boolean isSafeForRemotecontrolRequests() {
+        return true;
+    }
+
     /**
      * Determines if the given URL denotes an OSM gpx-related API call.
Index: /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadNotesTask.java
===================================================================
--- /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadNotesTask.java	(revision 7748)
+++ /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadNotesTask.java	(revision 7749)
@@ -67,4 +67,9 @@
     }
 
+    @Override
+    public boolean isSafeForRemotecontrolRequests() {
+        return true;
+    }
+
     abstract class DownloadTask extends PleaseWaitRunnable {
         protected OsmServerReader reader;
Index: /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadOsmTask.java
===================================================================
--- /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadOsmTask.java	(revision 7748)
+++ /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadOsmTask.java	(revision 7749)
@@ -169,4 +169,9 @@
     }
 
+    @Override
+    public boolean isSafeForRemotecontrolRequests() {
+        return true;
+    }
+
     /**
      * Superclass of internal download task.
Index: /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadSessionTask.java
===================================================================
--- /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadSessionTask.java	(revision 7748)
+++ /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadSessionTask.java	(revision 7749)
@@ -72,3 +72,15 @@
         return null;
     }
+
+    /**
+     * Do not allow to load a session file via remotecontrol.
+     * 
+     * Session importers can be added by plugins and there is currently
+     * no way to ensure that these are safe for remotecontol.
+     * @return 
+     */
+    @Override
+    public boolean isSafeForRemotecontrolRequests() {
+        return Main.pref.getBoolean("remotecontrol.import.allow_session", false);
+    }
 }
Index: /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadTask.java
===================================================================
--- /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadTask.java	(revision 7748)
+++ /trunk/src/org/openstreetmap/josm/actions/downloadtasks/DownloadTask.java	(revision 7749)
@@ -75,7 +75,13 @@
      * Returns true if the task is able to open the given URL, false otherwise.
      * @param url the url to download from
+     * @param isRemotecontrol True if download request comes from remotecontrol.
      * @return True if the task is able to open the given URL, false otherwise.
+     * Return false, if the request comes from remotecontrol, but the task is not
+     * safe for remotecontrol.
+     * A task is not safe for remotecontrol if it is possible to prepare a file
+     * for download which does something unintended, e.g. gain access to the
+     * local file system.
      */
-    boolean acceptsUrl(String url);
+    boolean acceptsUrl(String url, boolean isRemotecontrol);
 
     /**
Index: /trunk/src/org/openstreetmap/josm/io/remotecontrol/handler/ImportHandler.java
===================================================================
--- /trunk/src/org/openstreetmap/josm/io/remotecontrol/handler/ImportHandler.java	(revision 7748)
+++ /trunk/src/org/openstreetmap/josm/io/remotecontrol/handler/ImportHandler.java	(revision 7749)
@@ -125,5 +125,5 @@
         }
         // Find download tasks for the given URL
-        suitableDownloadTasks = Main.main.menu.openLocation.findDownloadTasks(urlString);
+        suitableDownloadTasks = Main.main.menu.openLocation.findDownloadTasks(urlString, true);
         if (suitableDownloadTasks.isEmpty()) {
             // It should maybe be better to reject the request in that case ?