It is possible to download files from the server hosting Alfresco, that are not even in the repository.
[steps to reproduce]
1 - Set up a new 4.2.3 environment on Ubuntu using the installer and default values for the installation folder
2 - Browse to http://server:port/alfresco/dr?contentUrl=store://../../../../../../../../../../../../etc/passwd
3 - Login as admin
The requested /etc/passwd server file is being downloaded to the client.
It could be any file.
Only the files needed by Alfresco should be accessible. All others should not.