From 6a07f5a5b4e2c0921967b8c47c8c9cfcd9a45b90 Mon Sep 17 00:00:00 2001 From: Akihiro Motoki Date: Wed, 5 Feb 2020 14:41:49 +0900 Subject: [PATCH] Avoid stripping leading/traling spaces in password forms There are cases where leading/trailing spaces are included in passwords We should not touch passwords input in forms and pass them to auth backends without any modifications. The detail was discussed in the mailing list thread [1] referred in the bug comment. [1] http://lists.openstack.org/pipermail/openstack-discuss/2020-January/thread.html#12223 Change-Id: I98de224cc77a98fa216ec3bc032412325e661e14 Closes-Bug: #1861224 --- openstack_auth/forms.py | 4 ++++ openstack_dashboard/dashboards/identity/users/forms.py | 2 ++ openstack_dashboard/dashboards/project/instances/forms.py | 3 +++ .../dashboards/project/instances/workflows/create_instance.py | 1 + openstack_dashboard/dashboards/settings/password/forms.py | 3 +++ 5 files changed, 13 insertions(+) diff --git a/openstack_auth/forms.py b/openstack_auth/forms.py index ba9cccfe6a..d1c38e304f 100644 --- a/openstack_auth/forms.py +++ b/openstack_auth/forms.py @@ -71,6 +71,7 @@ class Login(django_auth_forms.AuthenticationForm): label=_("User Name"), widget=forms.TextInput(attrs={"autofocus": "autofocus"})) password = forms.CharField(label=_("Password"), + strip=False, widget=forms.PasswordInput(render_value=False)) def __init__(self, *args, **kwargs): @@ -190,14 +191,17 @@ class Password(forms.Form): ), ( 'original_password', forms.CharField(label=_("Original password"), + strip=False, widget=forms.PasswordInput(render_value=False)) ), ( 'password', forms.CharField(label=_("New password"), + strip=False, widget=forms.PasswordInput(render_value=False)) ), ( 'confirm_password', forms.CharField(label=_("Confirm password"), + strip=False, widget=forms.PasswordInput(render_value=False)) ), ]) diff --git a/openstack_dashboard/dashboards/identity/users/forms.py b/openstack_dashboard/dashboards/identity/users/forms.py index 019d299cf3..71af7363c9 100644 --- a/openstack_dashboard/dashboards/identity/users/forms.py +++ b/openstack_dashboard/dashboards/identity/users/forms.py @@ -46,6 +46,7 @@ class PasswordMixin(forms.SelfHandlingForm): error_messages={'invalid': validators.password_validator_msg()}) confirm_password = forms.CharField( label=_("Confirm Password"), + strip=False, widget=forms.PasswordInput(render_value=False)) no_autocomplete = True @@ -295,6 +296,7 @@ class ChangePasswordForm(PasswordMixin, forms.SelfHandlingForm): if settings.ENFORCE_PASSWORD_CHECK: self.fields["admin_password"] = forms.CharField( label=_("Admin Password"), + strip=False, widget=forms.PasswordInput(render_value=False)) # Reorder form fields from multiple inheritance self.fields.keyOrder = ["id", "name", "admin_password", diff --git a/openstack_dashboard/dashboards/project/instances/forms.py b/openstack_dashboard/dashboards/project/instances/forms.py index 9f9ee85049..578ccdf05a 100644 --- a/openstack_dashboard/dashboards/project/instances/forms.py +++ b/openstack_dashboard/dashboards/project/instances/forms.py @@ -54,6 +54,7 @@ class RebuildInstanceForm(forms.SelfHandlingForm): confirm_password = forms.CharField( label=_("Confirm Rebuild Password"), required=False, + strip=False, widget=forms.PasswordInput(render_value=False)) disk_config = forms.ChoiceField(label=_("Disk Partition"), required=False) @@ -141,6 +142,7 @@ class DecryptPasswordInstanceForm(forms.SelfHandlingForm): encrypted_password = forms.CharField(widget=forms.widgets.Textarea(_attrs), label=_("Encrypted Password"), help_text=_encrypted_pwd_help, + strip=False, required=False) def __init__(self, request, *args, **kwargs): @@ -488,6 +490,7 @@ class RescueInstanceForm(forms.SelfHandlingForm): transform=_image_choice_title)) password = forms.CharField(label=_("Password"), max_length=255, required=False, + strip=False, widget=forms.PasswordInput(render_value=False)) failure_url = 'horizon:project:instances:index' diff --git a/openstack_dashboard/dashboards/project/instances/workflows/create_instance.py b/openstack_dashboard/dashboards/project/instances/workflows/create_instance.py index acd23c87bb..41ef8ac87e 100644 --- a/openstack_dashboard/dashboards/project/instances/workflows/create_instance.py +++ b/openstack_dashboard/dashboards/project/instances/workflows/create_instance.py @@ -560,6 +560,7 @@ class SetAccessControlsAction(workflows.Action): error_messages={'invalid': validators.password_validator_msg()}) confirm_admin_pass = forms.CharField( label=_("Confirm Admin Password"), + strip=False, required=False, widget=forms.PasswordInput(render_value=False)) groups = forms.MultipleChoiceField( diff --git a/openstack_dashboard/dashboards/settings/password/forms.py b/openstack_dashboard/dashboards/settings/password/forms.py index 2497f33ad8..5a999640ee 100644 --- a/openstack_dashboard/dashboards/settings/password/forms.py +++ b/openstack_dashboard/dashboards/settings/password/forms.py @@ -30,15 +30,18 @@ from openstack_dashboard import api class PasswordForm(forms.SelfHandlingForm): current_password = forms.CharField( label=_("Current password"), + strip=False, widget=forms.PasswordInput(render_value=False)) new_password = forms.RegexField( label=_("New password"), + strip=False, widget=forms.PasswordInput(render_value=False), regex=validators.password_validator(), error_messages={'invalid': validators.password_validator_msg()}) confirm_password = forms.CharField( label=_("Confirm new password"), + strip=False, widget=forms.PasswordInput(render_value=False)) no_autocomplete = True