restore trimming of username input

continue to not trim password or custom fields

trailing/leading space is explicitly forbidden in validate_username
This commit is contained in:
Min RK
2022-08-10 08:36:23 +02:00
parent 2f1d340c42
commit c9e6d6afa3
3 changed files with 18 additions and 5 deletions

View File

@@ -256,6 +256,9 @@ class Authenticator(LoggingConfigurable):
if not username: if not username:
# empty usernames are not allowed # empty usernames are not allowed
return False return False
if username != username.strip():
# starting/ending with space is not allowed
return False
if not self.username_regex: if not self.username_regex:
return True return True
return bool(self.username_regex.match(username)) return bool(self.username_regex.match(username))

View File

@@ -145,7 +145,9 @@ class LoginHandler(BaseHandler):
# parse the arguments dict # parse the arguments dict
data = {} data = {}
for arg in self.request.arguments: for arg in self.request.arguments:
data[arg] = self.get_argument(arg, strip=False) # strip username, but not other fields like passwords,
# which should be allowed to start or end with space
data[arg] = self.get_argument(arg, strip=arg == "username")
auth_timer = self.statsd.timer('login.authenticate').start() auth_timer = self.statsd.timer('login.authenticate').start()
user = await self.login_user(data) user = await self.login_user(data)

View File

@@ -740,9 +740,17 @@ async def test_login_fail(app):
assert not r.cookies assert not r.cookies
async def test_login_strip(app): @pytest.mark.parametrize(
"""Test that login form doesn't strip whitespace from passwords""" "form_user, auth_user, form_password",
form_data = {'username': 'spiff', 'password': ' space man '} [
("spiff", "spiff", " space man "),
(" spiff ", "spiff", " space man "),
],
)
async def test_login_strip(app, form_user, auth_user, form_password):
"""Test that login form strips space form usernames, but not passwords"""
form_data = {"username": form_user, "password": form_password}
expected_auth = {"username": auth_user, "password": form_password}
base_url = public_url(app) base_url = public_url(app)
called_with = [] called_with = []
@@ -754,7 +762,7 @@ async def test_login_strip(app):
base_url + 'hub/login', data=form_data, allow_redirects=False base_url + 'hub/login', data=form_data, allow_redirects=False
) )
assert called_with == [form_data] assert called_with == [expected_auth]
@pytest.mark.parametrize( @pytest.mark.parametrize(