Opened 5 years ago

Closed 5 years ago

#30257 closed Bug (fixed)

UsernameValidator allows trailing newline in usernames

Reported by: Robert Grosse Owned by: Ryan Schave
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no


ASCIIUsernameValidator and UnicodeUsernameValidator use the regex


The intent is to only allow alphanumeric characters as well as ., @, +, and -. However, a little known quirk of Python regexes is that $ will also match a trailing newline. Therefore, the user name validators will accept usernames which end with a newline. You can avoid this behavior by instead using \A and \Z to terminate regexes. For example, the validator regex could be changed to


in order to reject usernames that end with a newline.

I am not sure how to officially post a patch, but the required change is trivial - using the regex above in the two validators in contrib.auth.validators.

Change History (6)

comment:1 by Tim Graham, 5 years ago

Triage Stage: UnreviewedAccepted

comment:2 by Ryan Schave, 5 years ago

Owner: changed from nobody to Ryan Schave
Status: newassigned

comment:3 by Ryan Schave, 5 years ago

Has patch: set

comment:4 by Simon Charette, 5 years ago

Patch needs improvement: set

Tim reported that the tests are not covering the leading newline case on the PR.

comment:5 by Ryan Schave, 5 years ago

Patch needs improvement: unset

I reviewed the ASCII and Unicode validators and confirmed the regex is compiled without the MULTILINE flag. In this configuration ^ and \A have the same behavior - a newline at the beginning of the string is rejected. I reverted back to ^ and left \Z in place.

comment:6 by Tim Graham <timograham@…>, 5 years ago

Resolution: fixed
Status: assignedclosed

In cbf7e715:

Fixed #30257 -- Made UsernameValidators prohibit trailing newlines.

Note: See TracTickets for help on using tickets.
Back to Top