use a more secure slug regex

apps/addons/urls.py

@@ -4,6 +4,8 @@ from django.views.decorators.csrf import csrf_exempt
 
 from . import views
 
+ADDON_ID = r"""(?P<addon_id>[^/<>"']+)"""
+
 
 # These will all start with /addon/<addon_id>/
 detail_patterns = patterns('',
@@ -37,7 +39,7 @@ urlpatterns = patterns('',
     url('^$', views.home, name='home'),
 
     # URLs for a single add-on.
-    ('^addon/(?P<addon_id>[^/]+)/', include(detail_patterns)),
+    ('^addon/%s/' % ADDON_ID, include(detail_patterns)),
 
     # Accept extra junk at the end for a cache-busting build id.
     url('^addons/buttons.js(?:/.+)?$', 'addons.buttons.js'),

apps/api/urls.py

@@ -3,6 +3,7 @@ from django.conf.urls.defaults import patterns, url, include
 
 from piston.resource import Resource
 
+from addons.urls import ADDON_ID
 from api import authentication, handlers, views
 
 API_CACHE_TIMEOUT = getattr(settings, 'API_CACHE_TIMEOUT', 500)
@@ -50,7 +51,7 @@ list_regexps = build_urls(base_list_regexp, appendages)
 
 api_patterns = patterns('',
     # Addon_details
-    url('addon/(?P<addon_id>[^/]+)$', class_view(views.AddonDetailView),
+    url('addon/%s$' % ADDON_ID, class_view(views.AddonDetailView),
         name='api.addon_detail'),)
 
 for regexp in search_regexps:
@@ -69,10 +70,10 @@ version_resource = Resource(handler=handlers.VersionsHandler, **ad)
 piston_patterns = patterns('',
     url(r'^user/$', user_resource, name='api.user'),
     url(r'^addons/$', addons_resource, name='api.addons'),
-    url(r'^addon/(?P<addon_id>[^/]+)$', addons_resource, name='api.addon'),
-    url(r'^addon/(?P<addon_id>[^/]+)/versions$', version_resource,
+    url(r'^addon/%s$' % ADDON_ID, addons_resource, name='api.addon'),
+    url(r'^addon/%s/versions$' % ADDON_ID, version_resource,
         name='api.versions'),
-    url(r'^addon/(?P<addon_id>[^/]+)/version/(?P<version_id>\d+)$',
+    url(r'^addon/%s/version/(?P<version_id>\d+)$' % ADDON_ID,
         version_resource, name='api.version'),
 )
 

apps/devhub/urls.py

@@ -3,6 +3,7 @@ from django.shortcuts import redirect
 
 from urlconf_decorator import decorate
 
+from addons.urls import ADDON_ID
 from amo.decorators import write
 from . import views
 
@@ -69,8 +70,8 @@ urlpatterns = decorate(write, patterns('',
     url('^$', views.index, name='devhub.index'),
 
     # URLs for a single add-on.
-    ('^addon/(?P<addon_id>[^/]+)/', include(detail_patterns)),
-    ('^ajax/addon/(?P<addon_id>[^/]+)/', include(ajax_patterns)),
+    ('^addon/%s/' % ADDON_ID, include(detail_patterns)),
+    ('^ajax/addon/%s/' % ADDON_ID, include(ajax_patterns)),
 
     # Redirect people who have /addons/ instead of /addon/.
     ('^addons/\d+/.*',
@@ -87,7 +88,7 @@ urlpatterns = decorate(write, patterns('',
     url('^addon$', lambda r: redirect('devhub.addons', permanent=True)),
     url('^addons$', views.dashboard, name='devhub.addons'),
     url('^feed$', views.feed, name='devhub.feed_all'),
-    url('^feed/(?P<addon_id>[^/]+)$', views.feed, name='devhub.feed'),
+    url('^feed/%s$' % ADDON_ID, views.feed, name='devhub.feed'),
     url('^upload$', views.upload, name='devhub.upload'),
     url('^upload/([^/]+)(?:/([^/]+))?$', views.upload_detail,
         name='devhub.upload_detail')),

apps/discovery/urls.py

@@ -1,5 +1,6 @@
 from django.conf.urls.defaults import patterns, url, include
 
+from addons.urls import ADDON_ID
 from . import views
 
 
@@ -12,7 +13,7 @@ addon_patterns = patterns('',
 
 
 urlpatterns = patterns('',
-    url('^addon/(?P<addon_id>[^/]+)/', include(addon_patterns)),
+    url('^addon/%s/' % ADDON_ID, include(addon_patterns)),
 
     url('^recs$', views.recommendations, name='discovery.recs'),
     url('^(?P<version>[^/]+)/(?P<platform>[^/]+)$', views.pane,

apps/versions/urls.py

@@ -1,6 +1,7 @@
 from django.conf.urls.defaults import patterns, url
 from versions.feeds import VersionsRss
 
+from addons.urls import ADDON_ID
 from . import views
 
 urlpatterns = patterns('',
@@ -17,7 +18,7 @@ download_patterns = patterns('',
         views.download_file, name='downloads.file'),
 
     # /latest/1865/type:xpi/platform:5
-    url('^latest/(?P<addon_id>[^/]+)/'
-        '(?:type:(?P<type>\w+)/)?(?:platform:(?P<platform>\d+)/)?.*',
+    url('^latest/%s/(?:type:(?P<type>\w+)/)?'
+        '(?:platform:(?P<platform>\d+)/)?.*' % ADDON_ID,
         views.download_latest, name='downloads.latest'),
 )