Opened 8 years ago

Closed 8 years ago

#26719 closed Bug (fixed)

UserCreationForm doesn't call normalize_email

Reported by: Mitar Owned by: nobody
Component: contrib.auth Version: 1.10
Severity: Normal Keywords:
Cc: mmitar@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

UserCreationForm seems to not be calling normalize_email, which is called otherwise by the UserManager.create_user.

Change History (14)

comment:1 by Claude Paroz, 8 years ago

Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

Same for normalize_username in 1.10. What about applying the normalization in an AbstractUser.clean() method?

comment:2 by Tim Graham, 8 years ago

Has patch: set

comment:3 by Tim Graham, 8 years ago

Patch needs improvement: set
Severity: NormalRelease blocker
Summary: UserCreationForm is not calling normalize_emailUserCreationForm doesn't call normalize_email and normalize_username
Version: 1.91.10

Promoting to release blocker in light of Claude's concern of the lack of normalize_username as a possible security issue.

comment:4 by Mitar, 8 years ago

Can you elaborate on the security concern?

comment:5 by Claude Paroz, 8 years ago

The security concern is about unicode username not being normalized, which could allow a user to create a new account with a visually similar username as another one.
You can also find more information on this django-developers thread.

comment:6 by Tim Graham, 8 years ago

Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

comment:7 by Tim Graham, 8 years ago

Patch needs improvement: set
Severity: Release blockerNormal
Summary: UserCreationForm doesn't call normalize_email and normalize_usernameUserCreationForm doesn't call normalize_email
Triage Stage: Ready for checkinAccepted

I wrote a separate patch for moving username normalization to AbstractBaseUser.clean(). I'll refocus this ticket to moving email normalization since this isn't a blocker for 1.10.

comment:8 by Tim Graham <timograham@…>, 8 years ago

In 39805686:

Refs #21379, #26719 -- Moved username normalization to AbstractBaseUser.

Thanks Huynh Thanh Tam for the initial patch and Claude Paroz for review.

comment:9 by Tim Graham <timograham@…>, 8 years ago

In 1b0b6f03:

[1.10.x] Refs #21379, #26719 -- Moved username normalization to AbstractBaseUser.

Thanks Huynh Thanh Tam for the initial patch and Claude Paroz for review.

Backport of 39805686b364358af725b695924a5a6dfa7f5302 from master

comment:10 by Tim Graham, 8 years ago

Not sure I understand the premise of the report because UserCreationForm only has fields = ("username",) (no email field).

comment:11 by Tim Graham, 8 years ago

Component: Formscontrib.auth

comment:12 by Mitar, 8 years ago

Yes, but you can extend it and add it to fields in Meta. It is a ModelForm. So the list of fields exposed is just a default.

comment:13 by Tim Graham, 8 years ago

Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

comment:14 by Tim Graham <timograham@…>, 8 years ago

Resolution: fixed
Status: newclosed

In 09119dff:

Fixed #26719 -- Normalized email in AbstractUser.clean().

Note: See TracTickets for help on using tickets.
Back to Top