mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	Fixed #26334 -- Removed whitespace stripping from contrib.auth password fields.
This commit is contained in:
		
				
					committed by
					
						 Tim Graham
						Tim Graham
					
				
			
			
				
	
			
			
			
						parent
						
							b4347d82b7
						
					
				
				
					commit
					d0fe6c9156
				
			| @@ -69,9 +69,11 @@ class UserCreationForm(forms.ModelForm): | ||||
|         'password_mismatch': _("The two password fields didn't match."), | ||||
|     } | ||||
|     password1 = forms.CharField(label=_("Password"), | ||||
|         strip=False, | ||||
|         widget=forms.PasswordInput) | ||||
|     password2 = forms.CharField(label=_("Password confirmation"), | ||||
|         widget=forms.PasswordInput, | ||||
|         strip=False, | ||||
|         help_text=_("Enter the same password as before, for verification.")) | ||||
|  | ||||
|     class Meta: | ||||
| @@ -134,7 +136,7 @@ class AuthenticationForm(forms.Form): | ||||
|         max_length=254, | ||||
|         widget=forms.TextInput(attrs={'autofocus': ''}), | ||||
|     ) | ||||
|     password = forms.CharField(label=_("Password"), widget=forms.PasswordInput) | ||||
|     password = forms.CharField(label=_("Password"), strip=False, widget=forms.PasswordInput) | ||||
|  | ||||
|     error_messages = { | ||||
|         'invalid_login': _("Please enter a correct %(username)s and password. " | ||||
| @@ -276,8 +278,10 @@ class SetPasswordForm(forms.Form): | ||||
|     } | ||||
|     new_password1 = forms.CharField(label=_("New password"), | ||||
|                                     widget=forms.PasswordInput, | ||||
|                                     strip=False, | ||||
|                                     help_text=password_validation.password_validators_help_text_html()) | ||||
|     new_password2 = forms.CharField(label=_("New password confirmation"), | ||||
|                                     strip=False, | ||||
|                                     widget=forms.PasswordInput) | ||||
|  | ||||
|     def __init__(self, user, *args, **kwargs): | ||||
| @@ -315,6 +319,7 @@ class PasswordChangeForm(SetPasswordForm): | ||||
|     }) | ||||
|     old_password = forms.CharField( | ||||
|         label=_("Old password"), | ||||
|         strip=False, | ||||
|         widget=forms.PasswordInput(attrs={'autofocus': ''}), | ||||
|     ) | ||||
|  | ||||
| @@ -344,11 +349,13 @@ class AdminPasswordChangeForm(forms.Form): | ||||
|     password1 = forms.CharField( | ||||
|         label=_("Password"), | ||||
|         widget=forms.PasswordInput(attrs={'autofocus': ''}), | ||||
|         strip=False, | ||||
|         help_text=password_validation.password_validators_help_text_html(), | ||||
|     ) | ||||
|     password2 = forms.CharField( | ||||
|         label=_("Password (again)"), | ||||
|         widget=forms.PasswordInput, | ||||
|         strip=False, | ||||
|         help_text=_("Enter the same password as before, for verification."), | ||||
|     ) | ||||
|  | ||||
|   | ||||
| @@ -19,3 +19,9 @@ Bugfixes | ||||
|  | ||||
| * Fixed data loss on SQLite where ``DurationField`` values with fractional | ||||
|   seconds could be saved as ``None`` (:ticket:`26324`). | ||||
|  | ||||
| * The forms in ``contrib.auth`` no longer strip trailing and leading whitespace | ||||
|   from the password fields (:ticket:`26334`). The change requires users who set | ||||
|   their password to something with such whitespace after a site updated to | ||||
|   Django 1.9 to reset their password. It provides backwards-compatibility for | ||||
|   earlier versions of Django. | ||||
|   | ||||
| @@ -139,6 +139,17 @@ class UserCreationFormTest(TestDataMixin, TestCase): | ||||
|         form = CustomUserCreationForm(data) | ||||
|         self.assertTrue(form.is_valid()) | ||||
|  | ||||
|     def test_password_whitespace_not_stripped(self): | ||||
|         data = { | ||||
|             'username': 'testuser', | ||||
|             'password1': '   testpassword   ', | ||||
|             'password2': '   testpassword   ', | ||||
|         } | ||||
|         form = UserCreationForm(data) | ||||
|         self.assertTrue(form.is_valid()) | ||||
|         self.assertEqual(form.cleaned_data['password1'], data['password1']) | ||||
|         self.assertEqual(form.cleaned_data['password2'], data['password2']) | ||||
|  | ||||
|  | ||||
| class AuthenticationFormTest(TestDataMixin, TestCase): | ||||
|  | ||||
| @@ -248,6 +259,15 @@ class AuthenticationFormTest(TestDataMixin, TestCase): | ||||
|         form = CustomAuthenticationForm() | ||||
|         self.assertEqual(form.fields['username'].label, "") | ||||
|  | ||||
|     def test_password_whitespace_not_stripped(self): | ||||
|         data = { | ||||
|             'username': 'testuser', | ||||
|             'password': ' pass ', | ||||
|         } | ||||
|         form = AuthenticationForm(None, data) | ||||
|         form.is_valid()  # Not necessary to have valid credentails for the test. | ||||
|         self.assertEqual(form.cleaned_data['password'], data['password']) | ||||
|  | ||||
|  | ||||
| class SetPasswordFormTest(TestDataMixin, TestCase): | ||||
|  | ||||
| @@ -298,6 +318,17 @@ class SetPasswordFormTest(TestDataMixin, TestCase): | ||||
|             form["new_password2"].errors | ||||
|         ) | ||||
|  | ||||
|     def test_password_whitespace_not_stripped(self): | ||||
|         user = User.objects.get(username='testclient') | ||||
|         data = { | ||||
|             'new_password1': '   password   ', | ||||
|             'new_password2': '   password   ', | ||||
|         } | ||||
|         form = SetPasswordForm(user, data) | ||||
|         self.assertTrue(form.is_valid()) | ||||
|         self.assertEqual(form.cleaned_data['new_password1'], data['new_password1']) | ||||
|         self.assertEqual(form.cleaned_data['new_password2'], data['new_password2']) | ||||
|  | ||||
|  | ||||
| class PasswordChangeFormTest(TestDataMixin, TestCase): | ||||
|  | ||||
| @@ -348,6 +379,20 @@ class PasswordChangeFormTest(TestDataMixin, TestCase): | ||||
|         self.assertEqual(list(PasswordChangeForm(user, {}).fields), | ||||
|                          ['old_password', 'new_password1', 'new_password2']) | ||||
|  | ||||
|     def test_password_whitespace_not_stripped(self): | ||||
|         user = User.objects.get(username='testclient') | ||||
|         user.set_password('   oldpassword   ') | ||||
|         data = { | ||||
|             'old_password': '   oldpassword   ', | ||||
|             'new_password1': ' pass ', | ||||
|             'new_password2': ' pass ', | ||||
|         } | ||||
|         form = PasswordChangeForm(user, data) | ||||
|         self.assertTrue(form.is_valid()) | ||||
|         self.assertEqual(form.cleaned_data['old_password'], data['old_password']) | ||||
|         self.assertEqual(form.cleaned_data['new_password1'], data['new_password1']) | ||||
|         self.assertEqual(form.cleaned_data['new_password2'], data['new_password2']) | ||||
|  | ||||
|  | ||||
| class UserChangeFormTest(TestDataMixin, TestCase): | ||||
|  | ||||
| @@ -635,3 +680,14 @@ class AdminPasswordChangeFormTest(TestDataMixin, TestCase): | ||||
|         self.assertEqual(password_changed.call_count, 0) | ||||
|         form.save() | ||||
|         self.assertEqual(password_changed.call_count, 1) | ||||
|  | ||||
|     def test_password_whitespace_not_stripped(self): | ||||
|         user = User.objects.get(username='testclient') | ||||
|         data = { | ||||
|             'password1': ' pass ', | ||||
|             'password2': ' pass ', | ||||
|         } | ||||
|         form = AdminPasswordChangeForm(user, data) | ||||
|         self.assertTrue(form.is_valid()) | ||||
|         self.assertEqual(form.cleaned_data['password1'], data['password1']) | ||||
|         self.assertEqual(form.cleaned_data['password2'], data['password2']) | ||||
|   | ||||
		Reference in New Issue
	
	Block a user