From a4bf15bbc754bd10f782723e6665e7ab7922915c Mon Sep 17 00:00:00 2001
From: Tim Abbott <tabbott@zulipchat.com>
Date: Mon, 13 May 2019 13:28:17 -0700
Subject: [PATCH] realm_filters: Allows more use of & and friends in URLs.

We had some excessively tight rules about what characters were
allowed, which in particular prevented using `?foo=bar&baz=quux`
structures in the realm filters URLs.

Fixes #12239.
---
 zerver/models.py                   | 2 +-
 zerver/tests/test_realm_filters.py | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/zerver/models.py b/zerver/models.py
index 283d5e9266..f9b34ee379 100644
--- a/zerver/models.py
+++ b/zerver/models.py
@@ -594,7 +594,7 @@ def filter_pattern_validator(value: str) -> None:
         raise ValidationError(error_msg)
 
 def filter_format_validator(value: str) -> None:
-    regex = re.compile(r'^([\.\/:a-zA-Z0-9#_?=-]+%\(([a-zA-Z0-9_-]+)\)s)+[a-zA-Z0-9_-]*$')
+    regex = re.compile(r'^([\.\/:a-zA-Z0-9#_?=&-]+%\(([a-zA-Z0-9_-]+)\)s)+[/a-zA-Z0-9#_?=&-]*$')
 
     if not regex.match(value):
         raise ValidationError(_('Invalid URL format string.'))
diff --git a/zerver/tests/test_realm_filters.py b/zerver/tests/test_realm_filters.py
index e53f84f95c..76a5a6f7a3 100644
--- a/zerver/tests/test_realm_filters.py
+++ b/zerver/tests/test_realm_filters.py
@@ -58,25 +58,25 @@ class RealmFilterTest(ZulipTestCase):
         self.assertIsNotNone(re.match(data['pattern'], 'ZUL2-15'))
 
         data['pattern'] = r'_code=(?P<id>[0-9a-zA-Z]+)'
-        data['url_format_string'] = 'https://realm.com/my_realm_filter/?value=%(id)s'
+        data['url_format_string'] = 'https://example.com/product/%(id)s/details'
         result = self.client_post("/json/realm/filters", info=data)
         self.assert_json_success(result)
         self.assertIsNotNone(re.match(data['pattern'], '_code=123abcdZ'))
 
         data['pattern'] = r'PR (?P<id>[0-9]+)'
-        data['url_format_string'] = 'https://realm.com/my_realm_filter/?value=%(id)s'
+        data['url_format_string'] = 'https://example.com/web#view_type=type&model=model&action=12345&id=%(id)s'
         result = self.client_post("/json/realm/filters", info=data)
         self.assert_json_success(result)
         self.assertIsNotNone(re.match(data['pattern'], 'PR 123'))
 
         data['pattern'] = r'lp/(?P<id>[0-9]+)'
-        data['url_format_string'] = 'https://realm.com/my_realm_filter/?value=%(id)s'
+        data['url_format_string'] = 'https://realm.com/my_realm_filter/?value=%(id)s&sort=reverse'
         result = self.client_post("/json/realm/filters", info=data)
         self.assert_json_success(result)
         self.assertIsNotNone(re.match(data['pattern'], 'lp/123'))
 
         data['pattern'] = r'lp:(?P<id>[0-9]+)'
-        data['url_format_string'] = 'https://realm.com/my_realm_filter/?value=%(id)s'
+        data['url_format_string'] = 'https://realm.com/my_realm_filter/?sort=reverse&value=%(id)s'
         result = self.client_post("/json/realm/filters", info=data)
         self.assert_json_success(result)
         self.assertIsNotNone(re.match(data['pattern'], 'lp:123'))