press releases: more explicitly match on slug (safety)

2013-04-10 08:20:30 -04:00
parent bcdc6db4a9
commit bd2330a8f0
2 changed files with 9 additions and 1 deletions
--- a/lms/djangoapps/static_template_view/tests.py
+++ b/lms/djangoapps/static_template_view/tests.py
@@ -51,3 +51,11 @@ class SimpleTest(TestCase):
        response = self.client.get("/press/this-shouldnt-work")
        self.assertEqual(response.status_code, 404)

+        # can someone do something fishy?  no.
+        response = self.client.get("/press/../homework.html")
+        self.assertEqual(response.status_code, 404)
+
+        # "." in is ascii 2E 
+        response = self.client.get("/press/%2E%2E/homework.html")
+        self.assertEqual(response.status_code, 404)
+
--- a/lms/urls.py
+++ b/lms/urls.py
@@ -117,7 +117,7 @@ urlpatterns = ('',
        {'template': 'honor.html'}, name="honor"),

    #Press releases
-    url(r'^press/([^/]+)$', 'static_template_view.views.render_press_release', name='press_release'),
+    url(r'^press/([_a-zA-Z0-9-]+)$', 'static_template_view.views.render_press_release', name='press_release'),

    # Favicon
    (r'^favicon\.ico$', 'django.views.generic.simple.redirect_to', {'url': '/static/images/favicon.ico'}),