Prohibit null characters in CharField by default (#6073)

* Implement an allow_null_bytes argument to CharField (default True)
* Switch to using native ProhibitNullCharactersValidator instead

Author: jleclanche

rest_framework/compat.py

@@ -29,6 +29,11 @@
         RegexURLResolver as URLResolver,
     )
 
+try:
+    from django.core.validators import ProhibitNullCharactersValidator  # noqa
+except ImportError:
+    ProhibitNullCharactersValidator = None
+
 
 def get_original_route(urlpattern):
     """

rest_framework/fields.py

@@ -34,7 +34,8 @@
 from rest_framework import ISO_8601
 from rest_framework.compat import (
     MaxLengthValidator, MaxValueValidator, MinLengthValidator,
-    MinValueValidator, unicode_repr, unicode_to_repr
+    MinValueValidator, ProhibitNullCharactersValidator, unicode_repr,
+    unicode_to_repr
 )
 from rest_framework.exceptions import ErrorDetail, ValidationError
 from rest_framework.settings import api_settings
@@ -755,7 +756,7 @@ class CharField(Field):
         'invalid': _('Not a valid string.'),
         'blank': _('This field may not be blank.'),
         'max_length': _('Ensure this field has no more than {max_length} characters.'),
-        'min_length': _('Ensure this field has at least {min_length} characters.')
+        'min_length': _('Ensure this field has at least {min_length} characters.'),
     }
     initial = ''
 
@@ -778,6 +779,10 @@ def __init__(self, **kwargs):
             self.validators.append(
                 MinLengthValidator(self.min_length, message=message))
 
+        # ProhibitNullCharactersValidator is None on Django < 2.0
+        if ProhibitNullCharactersValidator is not None:
+            self.validators.append(ProhibitNullCharactersValidator())
+
     def run_validation(self, data=empty):
         # Test for the empty string here so that it does not get validated,
         # and so that subclasses do not need to handle it explicitly

tests/test_fields.py

@@ -15,6 +15,7 @@
 
 import rest_framework
 from rest_framework import exceptions, serializers
+from rest_framework.compat import ProhibitNullCharactersValidator
 from rest_framework.fields import DjangoImageField, is_simple_callable
 
 try:
@@ -728,6 +729,17 @@ def test_disallow_blank_with_trim_whitespace(self):
             field.run_validation('   ')
         assert exc_info.value.detail == ['This field may not be blank.']
 
+    @pytest.mark.skipif(ProhibitNullCharactersValidator is None, reason="Skipped on Django < 2.0")
+    def test_null_bytes(self):
+        field = serializers.CharField()
+
+        for value in ('\0', 'foo\0', '\0foo', 'foo\0foo'):
+            with pytest.raises(serializers.ValidationError) as exc_info:
+                field.run_validation(value)
+            assert exc_info.value.detail == [
+                'Null characters are not allowed.'
+            ]
+
 
 class TestEmailField(FieldValues):
     """