Strip null characters from search param

2025-07-30 01:49:50 +03:00 · 2019-07-02 09:46:02 -07:00 · 2019-07-02 09:46:02 -07:00 · a4b57344d1
commit a4b57344d1
parent 280014fe37
2 changed files with 12 additions and 1 deletions
--- a/rest_framework/filters.py
+++ b/rest_framework/filters.py
@ -64,7 +64,9 @@ class SearchFilter(BaseFilterBackend):
        and may be comma and/or whitespace delimited.
        """
        params = request.query_params.get(self.search_param, '')
-        return params.replace(',', ' ').split()
+        params = params.replace('\x00', '')  # strip null characters
+        params = params.replace(',', ' ')
+        return params.split()

    def construct_search(self, field_name):
        lookup = self.lookup_prefixes.get(field_name[0])
--- a/tests/test_filters.py
+++ b/tests/test_filters.py
@ -180,6 +180,15 @@ class SearchFilterTests(TestCase):
            {'id': 3, 'title': 'zzz', 'text': 'cde'}
        ]

+    def test_search_field_with_null_characters(self):
+        view = generics.GenericAPIView()
+        request = factory.get('/?search=\0as%00d\x00f')
+        request = view.initialize_request(request)
+
+        terms = filters.SearchFilter().get_search_terms(request)
+
+        assert terms == ['asdf']
+

 class AttributeModel(models.Model):
    label = models.CharField(max_length=32)