diff --git a/lms/djangoapps/static_template_view/tests.py b/lms/djangoapps/static_template_view/tests.py
index 806242c6d2..9cd5502d5d 100644
--- a/lms/djangoapps/static_template_view/tests.py
+++ b/lms/djangoapps/static_template_view/tests.py
@@ -51,3 +51,11 @@ class SimpleTest(TestCase):
         response = self.client.get("/press/this-shouldnt-work")
         self.assertEqual(response.status_code, 404)
 
+        # can someone do something fishy?  no.
+        response = self.client.get("/press/../homework.html")
+        self.assertEqual(response.status_code, 404)
+
+        # "." in is ascii 2E 
+        response = self.client.get("/press/%2E%2E/homework.html")
+        self.assertEqual(response.status_code, 404)
+
diff --git a/lms/urls.py b/lms/urls.py
index 5251330cd8..d72112593a 100644
--- a/lms/urls.py
+++ b/lms/urls.py
@@ -117,7 +117,7 @@ urlpatterns = ('',
         {'template': 'honor.html'}, name="honor"),
 
     #Press releases
-    url(r'^press/([^/]+)$', 'static_template_view.views.render_press_release', name='press_release'),
+    url(r'^press/([_a-zA-Z0-9-]+)$', 'static_template_view.views.render_press_release', name='press_release'),
 
     # Favicon
     (r'^favicon\.ico$', 'django.views.generic.simple.redirect_to', {'url': '/static/images/favicon.ico'}),