[Django] #28881: Common password validator does not handle case correctly

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[Django] #28881: Common password validator does not handle case correctly

Django
#28881: Common password validator does not handle case correctly
-----------------------------------------+------------------------
               Reporter:  Nick Farrell   |          Owner:  nobody
                   Type:  Uncategorized  |         Status:  new
              Component:  Uncategorized  |        Version:  1.11
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
-----------------------------------------+------------------------
 The CommonPasswordValidator holds a set of common passwords in memory,
 after strip()ing any whitespace.
 While validating a password, it converts it to lowercase before comparing
 to the set. However, the reference set was not converted to lowercase.

 This is not a problem when using the default set of common passwords, as
 they have been preprocessed to be lowercase. However, there is nothing in
 the documentation indicating this preprocessing should occur.

--
Ticket URL: <https://code.djangoproject.com/ticket/28881>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/049.912b909ca439d3f38666b2d113de4042%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28881: Common password validator does not handle case correctly

Django
#28881: Common password validator does not handle case correctly
-------------------------------+--------------------------------------
     Reporter:  Nick Farrell   |                    Owner:  nobody
         Type:  Uncategorized  |                   Status:  new
    Component:  Uncategorized  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------
Description changed by Nick Farrell:

Old description:

> The CommonPasswordValidator holds a set of common passwords in memory,
> after strip()ing any whitespace.
> While validating a password, it converts it to lowercase before comparing
> to the set. However, the reference set was not converted to lowercase.
>
> This is not a problem when using the default set of common passwords, as
> they have been preprocessed to be lowercase. However, there is nothing in
> the documentation indicating this preprocessing should occur.

New description:

 The CommonPasswordValidator holds a set of common passwords in memory,
 after strip()ing any whitespace.
 While validating a password, it converts it to lowercase before comparing
 to the set. However, the reference set was not converted to lowercase.

 This is not a problem when using the default set of common passwords, as
 they have been preprocessed to be lowercase. However, there is nothing in
 the documentation indicating this preprocessing should occur.

 https://github.com/django/django/pull/9414

--

--
Ticket URL: <https://code.djangoproject.com/ticket/28881#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.e9be7a64e95bc06ead87b27817209609%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28881: Common password validator does not handle case correctly

Django
In reply to this post by Django
#28881: Common password validator does not handle case correctly
-------------------------------+--------------------------------------
     Reporter:  Nick Farrell   |                    Owner:  nobody
         Type:  Uncategorized  |                   Status:  new
    Component:  Uncategorized  |                  Version:  1.11
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------
Description changed by Nick Farrell:

Old description:

> The CommonPasswordValidator holds a set of common passwords in memory,
> after strip()ing any whitespace.
> While validating a password, it converts it to lowercase before comparing
> to the set. However, the reference set was not converted to lowercase.
>
> This is not a problem when using the default set of common passwords, as
> they have been preprocessed to be lowercase. However, there is nothing in
> the documentation indicating this preprocessing should occur.
>
> https://github.com/django/django/pull/9414
New description:

 The CommonPasswordValidator holds a set of common passwords in memory,
 after strip()ing any whitespace.
 While validating a password, it converts it to lowercase before comparing
 to the set. However, the reference set was not converted to lowercase.

 This is not a problem when using the default set of common passwords, as
 they have been preprocessed to be lowercase. However, there is nothing in
 the documentation indicating this preprocessing should occur.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/28881#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.40e75b2e9e210d1d39ef1cbe94cdf48b%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28881: Common password validator does not handle case correctly

Django
In reply to this post by Django
#28881: Common password validator does not handle case correctly
-------------------------------+--------------------------------------
     Reporter:  Nick Farrell   |                    Owner:  nobody
         Type:  Uncategorized  |                   Status:  new
    Component:  Uncategorized  |                  Version:  2.0
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------
Changes (by Nick Farrell):

 * version:  1.11 => 2.0


--
Ticket URL: <https://code.djangoproject.com/ticket/28881#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.0a72c0835af301cde0244139b451dddc%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28881: Document that CommonPasswordValidator assumes all words are lower case (was: Common password validator does not handle case correctly)

Django
In reply to this post by Django
#28881: Document that CommonPasswordValidator assumes all words are lower case
--------------------------------------+------------------------------------
     Reporter:  Nick Farrell          |                    Owner:  nobody
         Type:  Cleanup/optimization  |                   Status:  new
    Component:  Documentation         |                  Version:  2.0
     Severity:  Normal                |               Resolution:
     Keywords:                        |             Triage Stage:  Accepted
    Has patch:  0                     |      Needs documentation:  0
  Needs tests:  0                     |  Patch needs improvement:  0
Easy pickings:  0                     |                    UI/UX:  0
--------------------------------------+------------------------------------
Changes (by Tim Graham):

 * component:  Uncategorized => Documentation
 * type:  Uncategorized => Cleanup/optimization
 * stage:  Unreviewed => Accepted


Comment:

 I think documenting the existing requirement for the password list to be
 lower case would be fine. A documentation fix would address the problem
 for older versions of Django and also avoid unnecessary computations for
 lists that are already lower case.

--
Ticket URL: <https://code.djangoproject.com/ticket/28881#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.8cd5a4aea2a7b16482a774e1237be3f6%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28881: Document that CommonPasswordValidator assumes all words are lower case

Django
In reply to this post by Django
#28881: Document that CommonPasswordValidator assumes all words are lower case
--------------------------------------+------------------------------------
     Reporter:  Nick Farrell          |                    Owner:  Karmen
         Type:  Cleanup/optimization  |                   Status:  assigned
    Component:  Documentation         |                  Version:  2.0
     Severity:  Normal                |               Resolution:
     Keywords:                        |             Triage Stage:  Accepted
    Has patch:  0                     |      Needs documentation:  0
  Needs tests:  0                     |  Patch needs improvement:  0
Easy pickings:  0                     |                    UI/UX:  0
--------------------------------------+------------------------------------
Changes (by Karmen):

 * owner:  nobody => Karmen
 * status:  new => assigned


--
Ticket URL: <https://code.djangoproject.com/ticket/28881#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.1c2987c049e223ac5779893c86197908%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28881: Document that CommonPasswordValidator assumes all words are lower case

Django
In reply to this post by Django
#28881: Document that CommonPasswordValidator assumes all words are lower case
-------------------------------------+-------------------------------------
     Reporter:  Nick Farrell         |                    Owner:  Karmen
         Type:                       |                   Status:  assigned
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  2.0
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Ready for
                                     |  checkin
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Carlton Gibson):

 * has_patch:  0 => 1
 * stage:  Accepted => Ready for checkin


Comment:

 [https://github.com/django/django/pull/9586#pullrequestreview-88743187 PR]
 adds small doc fix.

--
Ticket URL: <https://code.djangoproject.com/ticket/28881#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.17c947147bad551981e4d222370a7eac%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28881: Document that CommonPasswordValidator assumes all words are lower case

Django
In reply to this post by Django
#28881: Document that CommonPasswordValidator assumes all words are lower case
-------------------------------------+-------------------------------------
     Reporter:  Nick Farrell         |                    Owner:  Karmen
         Type:                       |                   Status:  closed
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  2.0
     Severity:  Normal               |               Resolution:  fixed
     Keywords:                       |             Triage Stage:  Ready for
                                     |  checkin
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Tim Graham <timograham@…>):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"4fcd28d442c2fec56f544f99cb658f33f847824c" 4fcd28d]:
 {{{
 #!CommitTicketReference repository=""
 revision="4fcd28d442c2fec56f544f99cb658f33f847824c"
 Fixed #28881 -- Doc'd that CommonPasswordValidator's password list must be
 lowercase.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28881#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.c5c4b76995e3e2c2312dccf9cd634020%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28881: Document that CommonPasswordValidator assumes all words are lower case

Django
In reply to this post by Django
#28881: Document that CommonPasswordValidator assumes all words are lower case
-------------------------------------+-------------------------------------
     Reporter:  Nick Farrell         |                    Owner:  Karmen
         Type:                       |                   Status:  closed
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  2.0
     Severity:  Normal               |               Resolution:  fixed
     Keywords:                       |             Triage Stage:  Ready for
                                     |  checkin
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham <timograham@…>):

 In [changeset:"146317b734275daddcc9b5e240b3c48b508fc6e6" 146317b7]:
 {{{
 #!CommitTicketReference repository=""
 revision="146317b734275daddcc9b5e240b3c48b508fc6e6"
 [2.0.x] Fixed #28881 -- Doc'd that CommonPasswordValidator's password list
 must be lowercase.

 Backport of 4fcd28d442c2fec56f544f99cb658f33f847824c from master
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28881#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.c329ecb94407cb2d0d2202b0cc7e2c09%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.