Re: Issue with Django Password Normalization
Here are links to the dev discussions. https://groups.google.com/d/msg/django-developers/MBSWXcQBP3k/XgWzGhpDBAAJ On Thursday, 21 April 2016 10:47:43 UTC-4, Arun S wrote: > > thanks for some very useful information. > > I did raise this in the dev forum but it was not agreed to be a question > in that forum to discuss whether this should be taken up. > > I guess with all this input, this can be suggested tough. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/ded99119-cabe-40e6-8295-5c33f3f3dca1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: Issue with Django Password Normalization
username = models.CharField(
_('username'),
max_length=150,
unique=True,
help_text=_('Required. 150 characters or fewer. Letters, digits and
@/./+/-/_ only.'),
validators=[ validators.RegexValidator( r'^[\w.@+-]+$',
It looks as if you could just clear the LOCALE
and UNICODE
flags, to restrict
the allowable characters.
I don't think you raised this in the dev mailing
list https://groups.google.com/forum/#!searchin/django-developers/password
You raised an issue in Trac, which is different. I agree with Michal that
this is worth looking at, and will pop it into a post in the dev list.
cheers -- Rick
django/contrib/auth/models.py line 308 or so
https://docs.python.org/2/library/re.html \wWhen the LOCALE
and UNICODE
flags are not
specified, matches any alphanumeric character and the underscore; this is
equivalent to the set [a-zA-Z0-9_]. With LOCALE
, it will match the
set [0-9_] plus whatever characters are defined as alphanumeric for the
current locale. If UNICODE
is set, this will
match the characters [0-9_] plus whatever is classified as alphanumeric in
the Unicode character properties database.
On Thursday, 21 April 2016 10:47:43 UTC-4, Arun S wrote:
>
> thanks for some very useful information.
>
> I did raise this in the dev forum but it was not agreed to be a question
> in that forum to discuss whether this should be taken up.
>
> I guess with all this input, this can be suggested tough.
>
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/5ec96f43-49e0-45eb-ba46-8644ba25af83%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: Issue with Django Password Normalization
Here are the Stackoverflow discussions I mentioned Ñ )oops I have the Espanol keyboard selected= http://stackoverflow.com/questions/16173328/what-unicode -normalization-and-other-processing-is-appropriate-for-passwords-w http://stackoverflow.com/questions/2798794/how-do-i-properly-implement- unicode-passwords Maybe we should not permit unicode passwords: http://stackoverflow.com/questions/179/should-i-support-unicode-in-passwords One issue for passwords is that you might have different Input Methods when you use different browsers, making it more difficult to login. Are Input Methods much different among browsers? We only need to consider browsers, clearly, not other UI's. (please correct me if there is any other, say Qt GUI) - Chrome: use input tools http://www.google.com/inputtools/ on Mac, Linux, and Windows - Mobile Android: long-press then slide to select a char - Mobile Ios: - I.E.: Microsoft has a few ways to enter Hex codes (unfriendly in my mind) https://en.wikipedia.org/wiki/Unicode_input#In_Microsoft_Windows - Firefox: there are 5 addons available https://addons.mozilla.org/en-US/firefox/tag/input%20method%20editor - Opera, Konqueror, .. .. .. The issue for usernames is that you could spoof someone else's username, and appear to be (impersonate) another person. The attacker can easily enter a character which looks the same but has a different Unicode point. Michal, as you say, we would want to normalize the chars. And as you say, it is a topic for the dev list. But how important is this issue? Yes, it is security related. But it is far from critical in my mind. On Wednesday, 20 April 2016 10:22:27 UTC-4, Rick Leir wrote: > > There is also a new issue in Trac on this topic. I added two links to > Stackoverflow discussions there. > > The issue: supposing a password is mañana. Depending on what client you > use, input methods can give you two different UTF8 characters for ñ. As a > first step, let's add test case, and check whether it fails. > > My guess (tho I am new to this) is that this is a Django issue not Python. > Cheers-- Rick -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/201a0164-82be-40cd-af3d-f64dd272ddca%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: Issue with Django Password Normalization
There is also a new issue in Trac on this topic. I added two links to Stackoverflow discussions there. The issue: supposing a password is mañana. Depending on what client you use, input methods can give you two different UTF8 characters for ñ. As a first step, let's add test case, and check whether it fails. My guess (tho I am new to this) is that this is a Django issue not Python. Cheers-- Rick -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/24b2f0c8-7882-4db9-8584-d35cf1b21819%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
