#26334: django.contrib.auth forms strip password fields
------------------------------+--------------------
Reporter: juristi | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 1.9
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------
I upgraded an existing site to Django 1.9. The new CharField strip
functionality that is turned on by default now strips all white space from
the beginning and the end of the passwords, which prevents affected users
from logging in with their correct password. The users must use the
password recovery functionality to be able to log in again.
An example:
Django 1.8 site has a user with password " aaa ", which is stored in db.
Site is upgraded to Django 1.9
AuthenticationForm now tries to log in user with password "aaa" instead of
the correct one.
Also stripping the input text may cause users to have less secure
passwords than they think.
All password fields in django.contrib.auth should add strip=False to their
arguments.
--
Ticket URL: <https://code.djangoproject.com/ticket/26334>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/050.5779e6cf331f22e8bcac6072124c0dc3%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
