[Django] #30257: UsernameValidator allows trailing newline in usernames

[Django]

#30257: UsernameValidator allows trailing newline in usernames
----------------------------------------+------------------------
Reporter: Storyyeller | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
----------------------------------------+------------------------
ASCIIUsernameValidator and UnicodeUsernameValidator use the regex
{{{
r'^[\w.@+-]+$'
}}}

The intent is to only allow alphanumeric characters as well as ., @, +,
and -. However, a little known quirk of Python regexes is that $ will also
match a trailing newline. Therefore, the user name validators will accept
usernames which end with a newline. You can avoid this behavior by instead
using \A and \Z to terminate regexes. For example, the validator regex
could be changed to
{{{
r'\A[\w.@+-]+\Z'
}}}

in order to reject usernames that end with a newline.

I am not sure how to officially post a patch, but the required change is
trivial - using the regex above in the two validators in
contrib.auth.validators.

--
Ticket URL: <https://code.djangoproject.com/ticket/30257>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#30257: UsernameValidator allows trailing newline in usernames

------------------------------+------------------------------------

Reporter: Storyyeller | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0

------------------------------+------------------------------------
Changes (by Tim Graham):

* stage: Unreviewed => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/30257#comment:1>

[Django]

#30257: UsernameValidator allows trailing newline in usernames

------------------------------+---------------------------------------
Reporter: Storyyeller | Owner: Ryan Schave
Type: Bug | Status: assigned
Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0

------------------------------+---------------------------------------
Changes (by Ryan Schave):

* status: new => assigned
* owner: nobody => Ryan Schave

--
Ticket URL: <https://code.djangoproject.com/ticket/30257#comment:2>

[Django]

#30257: UsernameValidator allows trailing newline in usernames

-------------------------------+---------------------------------------
Reporter: Robert Grosse | Owner: Ryan Schave
Type: Bug | Status: assigned
Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0

-------------------------------+---------------------------------------
Changes (by Ryan Schave):

* has_patch: 0 => 1

Comment:

[https://github.com/django/django/pull/11099 PR]

--
Ticket URL: <https://code.djangoproject.com/ticket/30257#comment:3>

[Django]

#30257: UsernameValidator allows trailing newline in usernames

-------------------------------+---------------------------------------
Reporter: Robert Grosse | Owner: Ryan Schave
Type: Bug | Status: assigned

Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 1 | UI/UX: 0

-------------------------------+---------------------------------------
Changes (by Simon Charette):

* needs_better_patch: 0 => 1

Comment:

Tim reported that the tests are not covering the leading newline case on
the PR.

--
Ticket URL: <https://code.djangoproject.com/ticket/30257#comment:4>

[Django]

#30257: UsernameValidator allows trailing newline in usernames

-------------------------------+---------------------------------------
Reporter: Robert Grosse | Owner: Ryan Schave
Type: Bug | Status: assigned

Component: contrib.auth | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0

-------------------------------+---------------------------------------
Changes (by Ryan Schave):

* needs_better_patch: 1 => 0

Comment:

I reviewed the ASCII and Unicode validators and confirmed the regex is
compiled without the MULTILINE flag. In this configuration !^ and \A have
the same behavior - a newline at the beginning of the string is rejected.
I reverted back to !^ and left \Z in place.

--
Ticket URL: <https://code.djangoproject.com/ticket/30257#comment:5>

[Django]

#30257: UsernameValidator allows trailing newline in usernames

-------------------------------+---------------------------------------
Reporter: Robert Grosse | Owner: Ryan Schave

Type: Bug | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0

-------------------------------+---------------------------------------
Changes (by Tim Graham <timograham@…>):

* status: assigned => closed
* resolution: => fixed

Comment:

In [changeset:"cbf7e71558c94ce1c327b683768a18a25d82d197" cbf7e715]:
{{{
#!CommitTicketReference repository=""
revision="cbf7e71558c94ce1c327b683768a18a25d82d197"
Fixed #30257 -- Made UsernameValidators prohibit trailing newlines.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/30257#comment:6>