If someone requests a URL that ends in '.' but is otherwise a valid controller action (e.g. "/admin/user/list.") the 'list' action is displayed when it should have been a 404. This is caused by the call to WebUtils.getFormatFromURI(uri) in UrlMappingsFilter (line 88 in 1.0.4, line 101 in the 1.1 branch).
It checks for a null format and since a blank string is returned in this case, it's tricked into thinking it's a file-extension request and trims off the dot. If you change "if(format!=null)" to "if(StringUtils.hasLength(format))" then it works as it should.
This is slightly more urgent than it appears since this creates a back door if using the Acegi plugin; "/admin/user/list." doesn't match the typical security mapping of "/admin/user/list/*=ROLE_WHATEVER". The workaround is to add an additional mapping for "/admin/user/list=ROLE_WHATEVER" but it's not very DRY.