press releases: more explicitly match on slug (safety)

lms/djangoapps/static_template_view/tests.py

@@ -51,3 +51,11 @@ class SimpleTest(TestCase):
         response = self.client.get("/press/this-shouldnt-work")
         self.assertEqual(response.status_code, 404)
 
+        # can someone do something fishy?  no.
+        response = self.client.get("/press/../homework.html")
+        self.assertEqual(response.status_code, 404)
+
+        # "." in is ascii 2E 
+        response = self.client.get("/press/%2E%2E/homework.html")
+        self.assertEqual(response.status_code, 404)
+

lms/urls.py

@@ -117,7 +117,7 @@ urlpatterns = ('',
         {'template': 'honor.html'}, name="honor"),
 
     #Press releases
-    url(r'^press/([^/]+)$', 'static_template_view.views.render_press_release', name='press_release'),
+    url(r'^press/([_a-zA-Z0-9-]+)$', 'static_template_view.views.render_press_release', name='press_release'),
 
     # Favicon
     (r'^favicon\.ico$', 'django.views.generic.simple.redirect_to', {'url': '/static/images/favicon.ico'}),