[Django] #36711: createsuperuser in non-interactive mode bypasses AUTH_PASSWORD_VALIDATORS
5 views
Skip to first unread message
Django
Nov 5, 2025, 6:14:08 PMNov 5
to django-...@googlegroups.com
#36711: createsuperuser in non-interactive mode bypasses AUTH_PASSWORD_VALIDATORS
----------------------------------------+---------------------------
Reporter: stan shaw | Owner: stan shaw
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+---------------------------
'''Component:''' django.contrib.auth
== Description ==
The createsuperuser management command behaves inconsistently when running
in interactive mode versus non-interactive mode (--noinput).
'''Interactive Mode:''' When run interactively, the command correctly
prompts for a password and validates it against the
AUTH_PASSWORD_VALIDATORS defined in settings.py.
'''Non-Interactive Mode:''' When run with --noinput, the command pulls the
password from the DJANGO_SUPERUSER_PASSWORD environment variable. However,
it '''fails to run this password through the validators'''. It passes the
password directly to the create_superuser method.
This allows a weak, non-compliant password to be set in automated
environments (like CI/CD pipelines, Dockerfiles, or deployment scripts),
completely bypassing the project's configured password security policy.
== How to Reproduce ==
'''Configure Validators:''' In your project's settings.py, add a strict
password validator:
{{{#!python
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
'OPTIONS': {
'min_length': 20, # Set a long minimum length
}
},
]
}}}
'''Apply Migrations:''' Ensure the database is set up.
{{{#!bash
python manage.py migrate
}}}
'''Test Interactive Mode (Works Correctly):'''
Run the command interactively and try to enter a short password.
{{{#!bash
$ python manage.py createsuperuser
Username: testuser
Email address: te...@example.com
Password: 123
Password (again): 123
This password is too short. It must contain at least 20 characters.
Bypass password validation and create user anyway? [y/N]:
...
}}}
This fails as expected.
'''Test Non-Interactive Mode (The Bug):'''
Set the environment variable to the same short, invalid password and run
with --noinput.
{{{#!bash
export DJANGO_SUPERUSER_PASSWORD="123"
python manage.py createsuperuser --noinput --username admin --email
ad...@example.com
}}}
== Expected Result ==
The command should fail with a CommandError stating, "This password is too
short."
== Actual Result ==
The command succeeds, and the superuser is created with the non-compliant
password "123".
{{{
Superuser created successfully.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36711>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
----------------------------------------+---------------------------
Reporter: stan shaw | Owner: stan shaw
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+---------------------------
'''Component:''' django.contrib.auth
== Description ==
The createsuperuser management command behaves inconsistently when running
in interactive mode versus non-interactive mode (--noinput).
'''Interactive Mode:''' When run interactively, the command correctly
prompts for a password and validates it against the
AUTH_PASSWORD_VALIDATORS defined in settings.py.
'''Non-Interactive Mode:''' When run with --noinput, the command pulls the
password from the DJANGO_SUPERUSER_PASSWORD environment variable. However,
it '''fails to run this password through the validators'''. It passes the
password directly to the create_superuser method.
This allows a weak, non-compliant password to be set in automated
environments (like CI/CD pipelines, Dockerfiles, or deployment scripts),
completely bypassing the project's configured password security policy.
== How to Reproduce ==
'''Configure Validators:''' In your project's settings.py, add a strict
password validator:
{{{#!python
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
'OPTIONS': {
'min_length': 20, # Set a long minimum length
}
},
]
}}}
'''Apply Migrations:''' Ensure the database is set up.
{{{#!bash
python manage.py migrate
}}}
'''Test Interactive Mode (Works Correctly):'''
Run the command interactively and try to enter a short password.
{{{#!bash
$ python manage.py createsuperuser
Username: testuser
Email address: te...@example.com
Password: 123
Password (again): 123
This password is too short. It must contain at least 20 characters.
Bypass password validation and create user anyway? [y/N]:
...
}}}
This fails as expected.
'''Test Non-Interactive Mode (The Bug):'''
Set the environment variable to the same short, invalid password and run
with --noinput.
{{{#!bash
export DJANGO_SUPERUSER_PASSWORD="123"
python manage.py createsuperuser --noinput --username admin --email
ad...@example.com
}}}
== Expected Result ==
The command should fail with a CommandError stating, "This password is too
short."
== Actual Result ==
The command succeeds, and the superuser is created with the non-compliant
password "123".
{{{
Superuser created successfully.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36711>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Nov 5, 2025, 6:37:49 PMNov 5
to django-...@googlegroups.com
#36711: createsuperuser in non-interactive mode bypasses AUTH_PASSWORD_VALIDATORS
------------------------------+--------------------------------------
Reporter: stan shaw | Owner: stan shaw
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.2
Severity: Normal | Resolution:
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.2
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Jacob Walls):
* cc: Markus Holtermann, Hasan Ramezani (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/36711#comment:1>
Django
Nov 5, 2025, 7:54:05 PMNov 5
to django-...@googlegroups.com
#36711: createsuperuser in non-interactive mode bypasses AUTH_PASSWORD_VALIDATORS
------------------------------+--------------------------------------
Reporter: stan shaw | Owner: stan shaw
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Comment (by stan shaw):
------------------------------+--------------------------------------
Reporter: stan shaw | Owner: stan shaw
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
I've opened a Pull Request for this ticket on GitHub here:
https://github.com/django/django/pull/20062/commits/
This PR includes the necessary fix and corresponding tests, and is now
ready for review.
--
Ticket URL: <https://code.djangoproject.com/ticket/36711#comment:2>
Django
Nov 6, 2025, 7:13:10 AMNov 6
to django-...@googlegroups.com
#36711: createsuperuser in non-interactive mode bypasses AUTH_PASSWORD_VALIDATORS
------------------------------+--------------------------------------
Reporter: stan shaw | Owner: stan shaw
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
------------------------------+--------------------------------------
Reporter: stan shaw | Owner: stan shaw
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Changes (by stan shaw):
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/36711#comment:3>
Reply all
Reply to author
Forward
0 new messages