make sure there are no null bytes in input data from query strings (#12072)

Fixes #12052
2024-11-29 01:22:07 +01:00 · 2024-06-20 21:54:32 +02:00 · 2024-06-20 21:54:32 +02:00 · 77791767a2
commit 77791767a2
parent ad95e0a991
4 changed files with 18 additions and 0 deletions
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -26,6 +26,7 @@ Changelog
 * Fix: Handle choice groups as dictionaries in active filters (Sébastien Corbin)
 * Fix: Add separators when displaying multiple error messages on a StructBlock (Kyle Bayliss)
 * Fix: Specify `verbose_name` on `TranslatableMixin.locale` so that it is translated when used as a label (Romein van Buren)
+ * Fix: Disallow null characters in API filter values (Jochen Wersdörfer)
 * Docs: Remove duplicate section on frontend caching proxies from performance page (Jake Howard)
 * Docs: Document `restriction_type` field on PageViewRestriction (Shlomo Markowitz)
 * Docs: Document Wagtail's bug bounty policy (Jake Howard)
--- a/docs/releases/6.2.md
+++ b/docs/releases/6.2.md
@ -40,6 +40,7 @@ depth: 1
 * Fix the rendering of grouped choices when using ChoiceFilter in combination with choices (Sébastien Corbin)
 * Add separators when displaying multiple error messages on a StructBlock (Kyle Bayliss)
 * Specify `verbose_name` on `TranslatableMixin.locale` so that it is translated when used as a label (Romein van Buren)
+ * Disallow null characters in API filter values (Jochen Wersdörfer)


 ### Documentation
--- a/wagtail/api/v2/filters.py
+++ b/wagtail/api/v2/filters.py
@ -46,6 +46,12 @@ class FieldsFilter(BaseFilterBackend):
                        % (value, field_name, str(e))
                    )

+                if "\x00" in str(value):
+                    raise BadRequestError(
+                        "field filter error. null characters are not allowed for %s"
+                        % field_name
+                    )
+
                if isinstance(field, TaggableManager):
                    for tag in value.split(","):
                        queryset = queryset.filter(**{field_name + "__name": tag})
--- a/wagtail/api/v2/tests/test_pages.py
+++ b/wagtail/api/v2/tests/test_pages.py
@ -683,6 +683,16 @@ class TestPageListing(WagtailTestUtils, TestCase):
            },
        )

+    def test_slug_field_containing_null_bytes_gives_error(self):
+        response = self.get_response(slug="\0")
+        content = json.loads(response.content.decode("UTF-8"))
+
+        self.assertEqual(response.status_code, 400)
+        self.assertEqual(
+            content,
+            {"message": "field filter error. null characters are not allowed for slug"},
+        )
+
    # CHILD OF FILTER

    def test_child_of_filter(self):