mirror of
https://github.com/jupyterhub/jupyterhub.git
synced 2025-10-17 06:52:59 +00:00
restore trimming of username input
continue to not trim password or custom fields trailing/leading space is explicitly forbidden in validate_username
This commit is contained in:
@@ -256,6 +256,9 @@ class Authenticator(LoggingConfigurable):
|
|||||||
if not username:
|
if not username:
|
||||||
# empty usernames are not allowed
|
# empty usernames are not allowed
|
||||||
return False
|
return False
|
||||||
|
if username != username.strip():
|
||||||
|
# starting/ending with space is not allowed
|
||||||
|
return False
|
||||||
if not self.username_regex:
|
if not self.username_regex:
|
||||||
return True
|
return True
|
||||||
return bool(self.username_regex.match(username))
|
return bool(self.username_regex.match(username))
|
||||||
|
@@ -145,7 +145,9 @@ class LoginHandler(BaseHandler):
|
|||||||
# parse the arguments dict
|
# parse the arguments dict
|
||||||
data = {}
|
data = {}
|
||||||
for arg in self.request.arguments:
|
for arg in self.request.arguments:
|
||||||
data[arg] = self.get_argument(arg, strip=False)
|
# strip username, but not other fields like passwords,
|
||||||
|
# which should be allowed to start or end with space
|
||||||
|
data[arg] = self.get_argument(arg, strip=arg == "username")
|
||||||
|
|
||||||
auth_timer = self.statsd.timer('login.authenticate').start()
|
auth_timer = self.statsd.timer('login.authenticate').start()
|
||||||
user = await self.login_user(data)
|
user = await self.login_user(data)
|
||||||
|
@@ -740,9 +740,17 @@ async def test_login_fail(app):
|
|||||||
assert not r.cookies
|
assert not r.cookies
|
||||||
|
|
||||||
|
|
||||||
async def test_login_strip(app):
|
@pytest.mark.parametrize(
|
||||||
"""Test that login form doesn't strip whitespace from passwords"""
|
"form_user, auth_user, form_password",
|
||||||
form_data = {'username': 'spiff', 'password': ' space man '}
|
[
|
||||||
|
("spiff", "spiff", " space man "),
|
||||||
|
(" spiff ", "spiff", " space man "),
|
||||||
|
],
|
||||||
|
)
|
||||||
|
async def test_login_strip(app, form_user, auth_user, form_password):
|
||||||
|
"""Test that login form strips space form usernames, but not passwords"""
|
||||||
|
form_data = {"username": form_user, "password": form_password}
|
||||||
|
expected_auth = {"username": auth_user, "password": form_password}
|
||||||
base_url = public_url(app)
|
base_url = public_url(app)
|
||||||
called_with = []
|
called_with = []
|
||||||
|
|
||||||
@@ -754,7 +762,7 @@ async def test_login_strip(app):
|
|||||||
base_url + 'hub/login', data=form_data, allow_redirects=False
|
base_url + 'hub/login', data=form_data, allow_redirects=False
|
||||||
)
|
)
|
||||||
|
|
||||||
assert called_with == [form_data]
|
assert called_with == [expected_auth]
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.parametrize(
|
@pytest.mark.parametrize(
|
||||||
|
Reference in New Issue
Block a user