[Django] #26334: django.contrib.auth forms strip password fields
Django
------------------------------+--------------------
Reporter: juristi | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 1.9
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------
I upgraded an existing site to Django 1.9. The new CharField strip
functionality that is turned on by default now strips all white space from
the beginning and the end of the passwords, which prevents affected users
from logging in with their correct password. The users must use the
password recovery functionality to be able to log in again.
An example:
Django 1.8 site has a user with password " aaa ", which is stored in db.
Site is upgraded to Django 1.9
AuthenticationForm now tries to log in user with password "aaa" instead of
the correct one.
Also stripping the input text may cause users to have less secure
passwords than they think.
All password fields in django.contrib.auth should add strip=False to their
arguments.
--
Ticket URL: <https://code.djangoproject.com/ticket/26334>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
---------------------------------+------------------------------------
Reporter: juristi | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 1.9
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* severity: Normal => Release blocker
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/26334#comment:1>
Django
Reporter: juristi | Owner: vincepandolfo
Type: Bug | Status: assigned
Component: contrib.auth | Version: 1.9
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by vincepandolfo):
* owner: nobody => vincepandolfo
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/26334#comment:2>
Django
---------------------------------+-----------------------------------------
Reporter: juristi | Owner: vincepandolfo
Type: Bug | Status: assigned
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by vincepandolfo):
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/26334#comment:3>
Django
---------------------------------+-----------------------------------------
Reporter: juristi | Owner: vincepandolfo
Component: contrib.auth | Version: 1.9
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"d0fe6c915665fa3220e84bd691ba7002a357e5c5" d0fe6c9]:
{{{
#!CommitTicketReference repository=""
revision="d0fe6c915665fa3220e84bd691ba7002a357e5c5"
Fixed #26334 -- Removed whitespace stripping from contrib.auth password
fields.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26334#comment:4>
Django
---------------------------------+-----------------------------------------
Reporter: juristi | Owner: vincepandolfo
Type: Bug | Status: closed
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"c6424efbc6114eeefe7ec7545de7e127ed189e92" c6424efb]:
{{{
#!CommitTicketReference repository=""
revision="c6424efbc6114eeefe7ec7545de7e127ed189e92"
[1.9.x] Fixed #26334 -- Removed whitespace stripping from contrib.auth
password fields.
Backport of d0fe6c915665fa3220e84bd691ba7002a357e5c5 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26334#comment:5>