mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-02-22 15:34:50 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #26334 -- Removed whitespace stripping from contrib.auth password fields.

Browse Source
This commit is contained in:
Vincenzo Pandolfo 2016-03-14 20:21:05 +00:00 committed by Tim Graham
parent b4347d82b7
commit d0fe6c9156
3 changed files with 70 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
django/contrib/auth/forms.py
View File

@ -69,9 +69,11 @@ class UserCreationForm(forms.ModelForm):
'password_mismatch': _("The two password fields didn't match."), 'password_mismatch': _("The two password fields didn't match."),
} }
password1 = forms.CharField(label=_("Password"), password1 = forms.CharField(label=_("Password"),
strip=False,
widget=forms.PasswordInput) widget=forms.PasswordInput)
password2 = forms.CharField(label=_("Password confirmation"), password2 = forms.CharField(label=_("Password confirmation"),
widget=forms.PasswordInput, widget=forms.PasswordInput,
strip=False,
help_text=_("Enter the same password as before, for verification.")) help_text=_("Enter the same password as before, for verification."))
class Meta: class Meta:
@ -134,7 +136,7 @@ class AuthenticationForm(forms.Form):
max_length=254, max_length=254,
widget=forms.TextInput(attrs={'autofocus': ''}), widget=forms.TextInput(attrs={'autofocus': ''}),
) )
password = forms.CharField(label=_("Password"), widget=forms.PasswordInput) password = forms.CharField(label=_("Password"), strip=False, widget=forms.PasswordInput)
error_messages = { error_messages = {
'invalid_login': _("Please enter a correct %(username)s and password. " 'invalid_login': _("Please enter a correct %(username)s and password. "
@ -276,8 +278,10 @@ class SetPasswordForm(forms.Form):
} }
new_password1 = forms.CharField(label=_("New password"), new_password1 = forms.CharField(label=_("New password"),
widget=forms.PasswordInput, widget=forms.PasswordInput,
strip=False,
help_text=password_validation.password_validators_help_text_html()) help_text=password_validation.password_validators_help_text_html())
new_password2 = forms.CharField(label=_("New password confirmation"), new_password2 = forms.CharField(label=_("New password confirmation"),
strip=False,
widget=forms.PasswordInput) widget=forms.PasswordInput)
def __init__(self, user, *args, **kwargs): def __init__(self, user, *args, **kwargs):
@ -315,6 +319,7 @@ class PasswordChangeForm(SetPasswordForm):
}) })
old_password = forms.CharField( old_password = forms.CharField(
label=_("Old password"), label=_("Old password"),
strip=False,
widget=forms.PasswordInput(attrs={'autofocus': ''}), widget=forms.PasswordInput(attrs={'autofocus': ''}),
) )
@ -344,11 +349,13 @@ class AdminPasswordChangeForm(forms.Form):
password1 = forms.CharField( password1 = forms.CharField(
label=_("Password"), label=_("Password"),
widget=forms.PasswordInput(attrs={'autofocus': ''}), widget=forms.PasswordInput(attrs={'autofocus': ''}),
strip=False,
help_text=password_validation.password_validators_help_text_html(), help_text=password_validation.password_validators_help_text_html(),
) )
password2 = forms.CharField( password2 = forms.CharField(
label=_("Password (again)"), label=_("Password (again)"),
widget=forms.PasswordInput, widget=forms.PasswordInput,
strip=False,
help_text=_("Enter the same password as before, for verification."), help_text=_("Enter the same password as before, for verification."),
) )

6
docs/releases/1.9.5.txt
View File

@ -19,3 +19,9 @@ Bugfixes
* Fixed data loss on SQLite where ``DurationField`` values with fractional * Fixed data loss on SQLite where ``DurationField`` values with fractional
seconds could be saved as ``None`` (:ticket:`26324`). seconds could be saved as ``None`` (:ticket:`26324`).
* The forms in ``contrib.auth`` no longer strip trailing and leading whitespace
from the password fields (:ticket:`26334`). The change requires users who set
their password to something with such whitespace after a site updated to
Django 1.9 to reset their password. It provides backwards-compatibility for
earlier versions of Django.

56
tests/auth_tests/test_forms.py
View File

@ -139,6 +139,17 @@ class UserCreationFormTest(TestDataMixin, TestCase):
form = CustomUserCreationForm(data) form = CustomUserCreationForm(data)
self.assertTrue(form.is_valid()) self.assertTrue(form.is_valid())
def test_password_whitespace_not_stripped(self):
data = {
'username': 'testuser',
'password1': ' testpassword ',
'password2': ' testpassword ',
}
form = UserCreationForm(data)
self.assertTrue(form.is_valid())
self.assertEqual(form.cleaned_data['password1'], data['password1'])
self.assertEqual(form.cleaned_data['password2'], data['password2'])
class AuthenticationFormTest(TestDataMixin, TestCase): class AuthenticationFormTest(TestDataMixin, TestCase):
@ -248,6 +259,15 @@ class AuthenticationFormTest(TestDataMixin, TestCase):
form = CustomAuthenticationForm() form = CustomAuthenticationForm()
self.assertEqual(form.fields['username'].label, "") self.assertEqual(form.fields['username'].label, "")
def test_password_whitespace_not_stripped(self):
data = {
'username': 'testuser',
'password': ' pass ',
}
form = AuthenticationForm(None, data)
form.is_valid() # Not necessary to have valid credentails for the test.
self.assertEqual(form.cleaned_data['password'], data['password'])
class SetPasswordFormTest(TestDataMixin, TestCase): class SetPasswordFormTest(TestDataMixin, TestCase):
@ -298,6 +318,17 @@ class SetPasswordFormTest(TestDataMixin, TestCase):
form["new_password2"].errors form["new_password2"].errors
) )
def test_password_whitespace_not_stripped(self):
user = User.objects.get(username='testclient')
data = {
'new_password1': ' password ',
'new_password2': ' password ',
}
form = SetPasswordForm(user, data)
self.assertTrue(form.is_valid())
self.assertEqual(form.cleaned_data['new_password1'], data['new_password1'])
self.assertEqual(form.cleaned_data['new_password2'], data['new_password2'])
class PasswordChangeFormTest(TestDataMixin, TestCase): class PasswordChangeFormTest(TestDataMixin, TestCase):
@ -348,6 +379,20 @@ class PasswordChangeFormTest(TestDataMixin, TestCase):
self.assertEqual(list(PasswordChangeForm(user, {}).fields), self.assertEqual(list(PasswordChangeForm(user, {}).fields),
['old_password', 'new_password1', 'new_password2']) ['old_password', 'new_password1', 'new_password2'])
def test_password_whitespace_not_stripped(self):
user = User.objects.get(username='testclient')
user.set_password(' oldpassword ')
data = {
'old_password': ' oldpassword ',
'new_password1': ' pass ',
'new_password2': ' pass ',
}
form = PasswordChangeForm(user, data)
self.assertTrue(form.is_valid())
self.assertEqual(form.cleaned_data['old_password'], data['old_password'])
self.assertEqual(form.cleaned_data['new_password1'], data['new_password1'])
self.assertEqual(form.cleaned_data['new_password2'], data['new_password2'])
class UserChangeFormTest(TestDataMixin, TestCase): class UserChangeFormTest(TestDataMixin, TestCase):
@ -635,3 +680,14 @@ class AdminPasswordChangeFormTest(TestDataMixin, TestCase):
self.assertEqual(password_changed.call_count, 0) self.assertEqual(password_changed.call_count, 0)
form.save() form.save()
self.assertEqual(password_changed.call_count, 1) self.assertEqual(password_changed.call_count, 1)
def test_password_whitespace_not_stripped(self):
user = User.objects.get(username='testclient')
data = {
'password1': ' pass ',
'password2': ' pass ',
}
form = AdminPasswordChangeForm(user, data)
self.assertTrue(form.is_valid())
self.assertEqual(form.cleaned_data['password1'], data['password1'])
self.assertEqual(form.cleaned_data['password2'], data['password2'])