Merged in [19670] from rjsparks@nostrum.com:

    Escape . in agenda url patterns. Guard against unrecognized extensions.
 - Legacy-Id: 19671
Note: SVN reference [19670] has been migrated to Git commit 58bd89c

Author: rjsparks

ietf/meeting/urls.py

@@ -64,9 +64,9 @@
 ]
 
 type_ietf_only_patterns_id_optional = [
-    url(r'^agenda(?P<utc>-utc)?(?P<ext>.html)?/?$',     views.agenda),
-    url(r'^agenda(?P<ext>.txt)$', views.agenda),
-    url(r'^agenda(?P<ext>.csv)$', views.agenda),
+    url(r'^agenda(?P<utc>-utc)?(?P<ext>\.html)?/?$',     views.agenda),
+    url(r'^agenda(?P<ext>\.txt)$', views.agenda),
+    url(r'^agenda(?P<ext>\.csv)$', views.agenda),
     url(r'^agenda/edit$',
         RedirectView.as_view(pattern_name='ietf.meeting.views.edit_meeting_schedule', permanent=True),
         name='ietf.meeting.views.edit_meeting_schedule'),

ietf/meeting/views.py

@@ -1488,6 +1488,8 @@ def agenda(request, num=None, name=None, base=None, ext=None, owner=None, utc=""
         ".txt": "text/plain; charset=%s"%settings.DEFAULT_CHARSET,
         ".csv": "text/csv; charset=%s"%settings.DEFAULT_CHARSET,
     }
+    if ext not in mimetype:
+        raise Http404('Extension not allowed')
 
     # We do not have the appropriate data in the datatracker for IETF 64 and earlier.
     # So that we're not producing misleading pages...