From 58bd89c99e2195df69a28540578a285c8d7b65db Mon Sep 17 00:00:00 2001
From: Robert Sparks <rjsparks@nostrum.com>
Date: Tue, 16 Nov 2021 19:16:50 +0000
Subject: [PATCH] Escape . in agenda url patterns. Guard against unrecognized
 extensions. Commit ready for merge.  - Legacy-Id: 19670

---
 ietf/meeting/urls.py  | 6 +++---
 ietf/meeting/views.py | 2 ++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/ietf/meeting/urls.py b/ietf/meeting/urls.py
index a051bd953..f4bf41ec5 100644
--- a/ietf/meeting/urls.py
+++ b/ietf/meeting/urls.py
@@ -64,9 +64,9 @@ type_interim_patterns = [
 ]
 
 type_ietf_only_patterns_id_optional = [
-    url(r'^agenda(?P<utc>-utc)?(?P<ext>.html)?/?$',     views.agenda),
-    url(r'^agenda(?P<ext>.txt)$', views.agenda),
-    url(r'^agenda(?P<ext>.csv)$', views.agenda),
+    url(r'^agenda(?P<utc>-utc)?(?P<ext>\.html)?/?$',     views.agenda),
+    url(r'^agenda(?P<ext>\.txt)$', views.agenda),
+    url(r'^agenda(?P<ext>\.csv)$', views.agenda),
     url(r'^agenda/edit$',
         RedirectView.as_view(pattern_name='ietf.meeting.views.edit_meeting_schedule', permanent=True),
         name='ietf.meeting.views.edit_meeting_schedule'),
diff --git a/ietf/meeting/views.py b/ietf/meeting/views.py
index 72161a16b..35a09be2d 100644
--- a/ietf/meeting/views.py
+++ b/ietf/meeting/views.py
@@ -1488,6 +1488,8 @@ def agenda(request, num=None, name=None, base=None, ext=None, owner=None, utc=""
         ".txt": "text/plain; charset=%s"%settings.DEFAULT_CHARSET,
         ".csv": "text/csv; charset=%s"%settings.DEFAULT_CHARSET,
     }
+    if ext not in mimetype:
+        raise Http404('Extension not allowed')
 
     # We do not have the appropriate data in the datatracker for IETF 64 and earlier.
     # So that we're not producing misleading pages...