From e12a903c4ad264121775a6e7598b404d2a66d12d Mon Sep 17 00:00:00 2001
From: Matt Westcott <matt@west.co.tt>
Date: Tue, 3 Jul 2018 16:55:59 +0100
Subject: [PATCH] Reject null characters in redirect URLs

---
 wagtail/contrib/redirects/middleware.py |  3 +++
 wagtail/contrib/redirects/tests.py      | 13 +++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/wagtail/contrib/redirects/middleware.py b/wagtail/contrib/redirects/middleware.py
index edd7328a9..164e82dc2 100644
--- a/wagtail/contrib/redirects/middleware.py
+++ b/wagtail/contrib/redirects/middleware.py
@@ -8,6 +8,9 @@ from wagtail.contrib.redirects import models
 
 
 def _get_redirect(request, path):
+    if '\0' in path:  # reject URLs with null characters, which crash on Postgres (#4496)
+        return None
+
     try:
         return models.Redirect.get_for_site(request.site).get(old_path=path)
     except models.Redirect.MultipleObjectsReturned:
diff --git a/wagtail/contrib/redirects/tests.py b/wagtail/contrib/redirects/tests.py
index 15b643490..9ce9708df 100644
--- a/wagtail/contrib/redirects/tests.py
+++ b/wagtail/contrib/redirects/tests.py
@@ -273,6 +273,19 @@ class TestRedirects(TestCase):
 
         self.assertRedirects(response, '/redirectto', status_code=301, fetch_redirect_response=False)
 
+    def test_reject_null_characters(self):
+        response = self.client.get('/test%00test/')
+        self.assertEqual(response.status_code, 404)
+
+        response = self.client.get('/test\0test/')
+        self.assertEqual(response.status_code, 404)
+
+        response = self.client.get('/test/?foo=%00bar')
+        self.assertEqual(response.status_code, 404)
+
+        response = self.client.get('/test/?foo=\0bar')
+        self.assertEqual(response.status_code, 404)
+
 
 class TestRedirectsIndexView(TestCase, WagtailTestUtils):
     def setUp(self):