Context Navigation

← Previous Ticket
Next Ticket →

#26719 closed Bug (fixed)

UserCreationForm doesn't call normalize_email

Reported by:	Mitar	Owned by:	nobody
Component:	contrib.auth	Version:	1.10
Severity:	Normal	Keywords:
Cc:	mmitar@…	Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

UserCreationForm seems to not be calling normalize_email, which is called otherwise by the UserManager.create_user.

Change History (14)

comment:1 by Claude Paroz, 8 years ago

Triage Stage:	Unreviewed → Accepted
Type:	Uncategorized → Bug

Same for normalize_username in 1.10. What about applying the normalization in an AbstractUser.clean() method?

comment:2 by Tim Graham, 8 years ago

Has patch:	set

comment:3 by Tim Graham, 8 years ago

Patch needs improvement:	set
Severity:	Normal → Release blocker
Summary:	UserCreationForm is not calling normalize_email → UserCreationForm doesn't call normalize_email and normalize_username
Version:	1.9 → 1.10

Promoting to release blocker in light of Claude's concern of the lack of normalize_username as a possible security issue.

comment:4 by Mitar, 8 years ago

Can you elaborate on the security concern?

comment:5 by Claude Paroz, 8 years ago

The security concern is about unicode username not being normalized, which could allow a user to create a new account with a visually similar username as another one.
You can also find more information on this django-developers thread.

comment:6 by Tim Graham, 8 years ago

Patch needs improvement:	unset
Triage Stage:	Accepted → Ready for checkin

comment:7 by Tim Graham, 8 years ago

Patch needs improvement:	set
Severity:	Release blocker → Normal
Summary:	UserCreationForm doesn't call normalize_email and normalize_username → UserCreationForm doesn't call normalize_email
Triage Stage:	Ready for checkin → Accepted

I wrote a separate patch for moving username normalization to AbstractBaseUser.clean(). I'll refocus this ticket to moving email normalization since this isn't a blocker for 1.10.

comment:8 by Tim Graham <timograham@…>, 8 years ago

In 39805686:

Refs #21379, #26719 -- Moved username normalization to AbstractBaseUser.

Thanks Huynh Thanh Tam for the initial patch and Claude Paroz for review.

comment:9 by Tim Graham <timograham@…>, 8 years ago

In 1b0b6f03:

[1.10.x] Refs #21379, #26719 -- Moved username normalization to AbstractBaseUser.

Thanks Huynh Thanh Tam for the initial patch and Claude Paroz for review.

Backport of 39805686b364358af725b695924a5a6dfa7f5302 from master

comment:10 by Tim Graham, 8 years ago

Not sure I understand the premise of the report because UserCreationForm only has fields = ("username",) (no email field).

comment:11 by Tim Graham, 8 years ago

Component:	Forms → contrib.auth

comment:12 by Mitar, 8 years ago

Yes, but you can extend it and add it to fields in Meta. It is a ModelForm. So the list of fields exposed is just a default.

comment:13 by Tim Graham, 8 years ago

Patch needs improvement:	unset
Triage Stage:	Accepted → Ready for checkin

comment:14 by Tim Graham <timograham@…>, 8 years ago

Resolution:	→ fixed
Status:	new → closed

In 09119dff:

Fixed #26719 -- Normalized email in AbstractUser.clean().

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues