From e4e75f1c7ceb053bffb8031e0468000c4d9c3cec Mon Sep 17 00:00:00 2001
From: Ryan P Kilby <kilbyr@gmail.com>
Date: Tue, 2 Jul 2019 11:33:48 -0700
Subject: [PATCH] Strip null characters from search param (#6774)

---
 rest_framework/filters.py | 4 +++-
 tests/test_filters.py     | 9 +++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/rest_framework/filters.py b/rest_framework/filters.py
index 2af063926..c0c708d26 100644
--- a/rest_framework/filters.py
+++ b/rest_framework/filters.py
@@ -64,7 +64,9 @@ class SearchFilter(BaseFilterBackend):
         and may be comma and/or whitespace delimited.
         """
         params = request.query_params.get(self.search_param, '')
-        return params.replace(',', ' ').split()
+        params = params.replace('\x00', '')  # strip null characters
+        params = params.replace(',', ' ')
+        return params.split()
 
     def construct_search(self, field_name):
         lookup = self.lookup_prefixes.get(field_name[0])
diff --git a/tests/test_filters.py b/tests/test_filters.py
index a52f40103..6d7969a92 100644
--- a/tests/test_filters.py
+++ b/tests/test_filters.py
@@ -180,6 +180,15 @@ class SearchFilterTests(TestCase):
             {'id': 3, 'title': 'zzz', 'text': 'cde'}
         ]
 
+    def test_search_field_with_null_characters(self):
+        view = generics.GenericAPIView()
+        request = factory.get('/?search=\0as%00d\x00f')
+        request = view.initialize_request(request)
+
+        terms = filters.SearchFilter().get_search_terms(request)
+
+        assert terms == ['asdf']
+
 
 class AttributeModel(models.Model):
     label = models.CharField(max_length=32)