Avoid stripping leading/traling spaces in password forms

There are cases where leading/trailing spaces are included in passwords We should not touch passwords input in forms and pass them to auth backends without any modifications. The detail was discussed in the mailing list thread [1] referred in the bug comment. [1] http://lists.openstack.org/pipermail/openstack-discuss/2020-January/thread.html#12223 Change-Id: I98de224cc77a98fa216ec3bc032412325e661e14 Closes-Bug: #1861224
2020-02-05 14:41:49 +09:00 · 2020-02-05 14:41:49 +09:00 · 6a07f5a5b4
commit 6a07f5a5b4
parent 363a4df3ac
5 changed files with 13 additions and 0 deletions
--- a/openstack_auth/forms.py
+++ b/openstack_auth/forms.py
@ -71,6 +71,7 @@ class Login(django_auth_forms.AuthenticationForm):
        label=_("User Name"),
        widget=forms.TextInput(attrs={"autofocus": "autofocus"}))
    password = forms.CharField(label=_("Password"),
+                               strip=False,
                               widget=forms.PasswordInput(render_value=False))

    def __init__(self, *args, **kwargs):
@ -190,14 +191,17 @@ class Password(forms.Form):
            ), (
                'original_password',
                forms.CharField(label=_("Original password"),
+                                strip=False,
                                widget=forms.PasswordInput(render_value=False))
            ), (
                'password',
                forms.CharField(label=_("New password"),
+                                strip=False,
                                widget=forms.PasswordInput(render_value=False))
            ), (
                'confirm_password',
                forms.CharField(label=_("Confirm password"),
+                                strip=False,
                                widget=forms.PasswordInput(render_value=False))
            ),
        ])
--- a/openstack_dashboard/dashboards/identity/users/forms.py
+++ b/openstack_dashboard/dashboards/identity/users/forms.py
@ -46,6 +46,7 @@ class PasswordMixin(forms.SelfHandlingForm):
        error_messages={'invalid': validators.password_validator_msg()})
    confirm_password = forms.CharField(
        label=_("Confirm Password"),
+        strip=False,
        widget=forms.PasswordInput(render_value=False))
    no_autocomplete = True

@ -295,6 +296,7 @@ class ChangePasswordForm(PasswordMixin, forms.SelfHandlingForm):
        if settings.ENFORCE_PASSWORD_CHECK:
            self.fields["admin_password"] = forms.CharField(
                label=_("Admin Password"),
+                strip=False,
                widget=forms.PasswordInput(render_value=False))
            # Reorder form fields from multiple inheritance
            self.fields.keyOrder = ["id", "name", "admin_password",
--- a/openstack_dashboard/dashboards/project/instances/forms.py
+++ b/openstack_dashboard/dashboards/project/instances/forms.py
@ -54,6 +54,7 @@ class RebuildInstanceForm(forms.SelfHandlingForm):
    confirm_password = forms.CharField(
        label=_("Confirm Rebuild Password"),
        required=False,
+        strip=False,
        widget=forms.PasswordInput(render_value=False))
    disk_config = forms.ChoiceField(label=_("Disk Partition"),
                                    required=False)
@ -141,6 +142,7 @@ class DecryptPasswordInstanceForm(forms.SelfHandlingForm):
    encrypted_password = forms.CharField(widget=forms.widgets.Textarea(_attrs),
                                         label=_("Encrypted Password"),
                                         help_text=_encrypted_pwd_help,
+                                         strip=False,
                                         required=False)

    def __init__(self, request, *args, **kwargs):
@ -488,6 +490,7 @@ class RescueInstanceForm(forms.SelfHandlingForm):
            transform=_image_choice_title))
    password = forms.CharField(label=_("Password"), max_length=255,
                               required=False,
+                               strip=False,
                               widget=forms.PasswordInput(render_value=False))
    failure_url = 'horizon:project:instances:index'

--- a/openstack_dashboard/dashboards/project/instances/workflows/create_instance.py
+++ b/openstack_dashboard/dashboards/project/instances/workflows/create_instance.py
@ -560,6 +560,7 @@ class SetAccessControlsAction(workflows.Action):
        error_messages={'invalid': validators.password_validator_msg()})
    confirm_admin_pass = forms.CharField(
        label=_("Confirm Admin Password"),
+        strip=False,
        required=False,
        widget=forms.PasswordInput(render_value=False))
    groups = forms.MultipleChoiceField(
--- a/openstack_dashboard/dashboards/settings/password/forms.py
+++ b/openstack_dashboard/dashboards/settings/password/forms.py
@ -30,15 +30,18 @@ from openstack_dashboard import api
 class PasswordForm(forms.SelfHandlingForm):
    current_password = forms.CharField(
        label=_("Current password"),
+        strip=False,
        widget=forms.PasswordInput(render_value=False))
    new_password = forms.RegexField(
        label=_("New password"),
+        strip=False,
        widget=forms.PasswordInput(render_value=False),
        regex=validators.password_validator(),
        error_messages={'invalid':
                        validators.password_validator_msg()})
    confirm_password = forms.CharField(
        label=_("Confirm new password"),
+        strip=False,
        widget=forms.PasswordInput(render_value=False))
    no_autocomplete = True