#26334 closed Bug (fixed)
django.contrib.auth forms shouldn't strip whitespace from password fields
| Reported by: | juristi | Owned by: | Vincenzo Pandolfo |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.9 |
| Severity: | Release blocker | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I upgraded an existing site to Django 1.9. The new CharField strip functionality that is turned on by default now strips all white space from the beginning and the end of the passwords, which prevents affected users from logging in with their correct password. The users must use the password recovery functionality to be able to log in again.
An example:
Django 1.8 site has a user with password " aaa ", which is stored in db.
Site is upgraded to Django 1.9
AuthenticationForm now tries to log in user with password "aaa" instead of the correct one.
Also stripping the input text may cause users to have less secure passwords than they think.
All password fields in django.contrib.auth should add strip=False to their arguments.
Change History (5)
comment:1 by , 9 years ago
| Severity: | Normal → Release blocker |
|---|---|
| Summary: | django.contrib.auth forms strip password fields → django.contrib.auth forms shouldn't strip whitespace from password fields |
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 9 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
Note:
See TracTickets
for help on using tickets.