Opened 4 years ago

Closed 4 years ago

#32163 closed Bug (invalid)

Admin change password is not handled gracefully (error 500)

Reported by: Romain SOMMERARD Owned by: nobody
Component: contrib.admin Version: 3.1
Severity: Normal Keywords: admin, password
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Change the password via the admin form for a user and enter a password like qwerty123**, the server return a not handled gracefully error 500. With DEBUG=True, we can have more details:

error at /admin/users/user/27/password/

multiple repeat at position 10

Request Method: POST
Request URL: http://localhost:8000/admin/users/user/27/password/
Django Version: 3.0.7
Exception Type: error
Exception Value:

multiple repeat at position 10

Exception Location: /usr/lib/python3.8/ in _parse, line 671
Python Executable: /home/dave/.virtualenvs/my-project/bin/python
Python Version: 3.8.5
Python Path:



Server time: Mon, 2 Nov 2020 17:35:25 +0100

Change History (2)

comment:1 by Sydney Logan, 4 years ago

So, a quick google search indicates that the "*" is probably being interpreted as a regex wildcard. And two in a row is probably invalid, leading to the exception being raised.

What happens if you escape the '*' characters, e.g., use querty123\*\*\* instead of querty* ? I'm expecting that doing so would allow for the use of "*' in a password (or trigger some other filtering/error that might be in place that disallows use of "*").

comment:2 by Mariusz Felisiak, 4 years ago

Resolution: invalid
Status: newclosed

I cannot reproduce this issue with builtin validators, it looks that it's an issue in a custom password validator. Closing per TicketClosingReasons/UseSupportChannels.

Note: See TracTickets for help on using tickets.
Back to Top