[5.2.x] Fixed #36179 -- Unhexed entries and removed duplicates in auth/common-passwords.txt.gz.

Backport of 727731d76d9dfd5304d536478d862778f6dd6d9b from main.
2025-03-06 07:22:32 +00:00 · 2025-02-09 17:14:08 +01:00 · 2025-02-09 17:14:08 +01:00 · cb2ab4ee84
commit cb2ab4ee84
parent ae391ca368
3 changed files with 10 additions and 1 deletions
--- a/django/contrib/auth/common-passwords.txt.gz
+++ b/django/contrib/auth/common-passwords.txt.gz
--- a/django/contrib/auth/password_validation.py
+++ b/django/contrib/auth/password_validation.py
@ -222,7 +222,7 @@ class CommonPasswordValidator:

    The password is rejected if it occurs in a provided list of passwords,
    which may be gzipped. The list Django ships with contains 20000 common
-    passwords (lowercased and deduplicated), created by Royce Williams:
+    passwords (unhexed, lowercased and deduplicated), created by Royce Williams:
    https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce
    The password list must be lowercased to match the comparison in validate().
    """
--- a/tests/auth_tests/test_validators.py
+++ b/tests/auth_tests/test_validators.py
@ -273,6 +273,15 @@ class CommonPasswordValidatorTest(SimpleTestCase):
            CommonPasswordValidator().validate("godzilla")
        self.assertEqual(cm.exception.messages, [expected_error])

+    def test_common_hexed_codes(self):
+        expected_error = "This password is too common."
+        common_hexed_passwords = ["asdfjkl:", "&#2336:"]
+        for password in common_hexed_passwords:
+            with self.subTest(password=password):
+                with self.assertRaises(ValidationError) as cm:
+                    CommonPasswordValidator().validate(password)
+                self.assertEqual(cm.exception.messages, [expected_error])
+
    def test_validate_custom_list(self):
        path = os.path.join(
            os.path.dirname(os.path.realpath(__file__)), "common-passwords-custom.txt"