id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28016	Command createsuperuser does not validate username when using --username	Ricardo S. A. Silva	Ricardo S. A. Silva	"It is possible to create a new user with invalid characters on username by running createsuperuser with only --username parameter. The username validation is only executed when the --noinput parameter is used.

Example:

{{{
manage.py createsuperuser --username %invalid%username
}}}

The problem also occurs for fields on REQUIRED_FIELDS (e.g. email):

{{{
manage.py createsuperuser --username test --email invalid_email
}}}

This can be fixed by adding some validation:

{{{
--- a/django/contrib/auth/management/commands/createsuperuser.py
+++ b/django/contrib/auth/management/commands/createsuperuser.py
@@ -94,6 +94,24 @@ class Command(BaseCommand):
                 if hasattr(self.stdin, 'isatty') and not self.stdin.isatty():
                     raise NotRunningInTTYException(""Not running in a TTY"")

+                # Validate username provided by --username parameter
+                if username:
+                    try:
+                        self.UserModel._meta.get_field(self.UserModel.USERNAME_FIELD).clean(username, None)
+                    except exceptions.ValidationError as e:
+                        raise CommandError('; '.join(e.messages))
+
+                # Validate data inputted by --< field_name >
+                for field_name in self.UserModel.REQUIRED_FIELDS:
+                    try:
+                        if options[field_name]:
+                            field = self.UserModel._meta.get_field(field_name)
+                            user_data[field_name] = field.clean(options[field_name], None)
+                        else:
+                            user_data[field_name] = None
+                    except exceptions.ValidationError as e:
+                        raise CommandError('; '.join(e.messages))
+
                 # Get a username
                 verbose_field_name = self.username_field.verbose_name
                 while username is None:
@@ -122,7 +140,6 @@ class Command(BaseCommand):

                 for field_name in self.UserModel.REQUIRED_FIELDS:
                     field = self.UserModel._meta.get_field(field_name)
-                    user_data[field_name] = options[field_name]
                     while user_data[field_name] is None:
                         message = '%s%s: ' % (
                             capfirst(field.verbose_name),
}}}




"	Bug	closed	contrib.auth	dev	Normal	duplicate			Accepted	1	0	0	1	0	0