Admin change password is not handled gracefully (error 500)

[Romain SOMMERARD]

Change the password via the admin form for a user and enter a password like qwerty123**, the server return a not handled gracefully error 500. With DEBUG=True, we can have more details:

error at /admin/users/user/27/password/

multiple repeat at position 10

Request Method: POST
Request URL: ​http://localhost:8000/admin/users/user/27/password/
Django Version: 3.0.7
Exception Type: error
Exception Value:

multiple repeat at position 10

Exception Location: /usr/lib/python3.8/sre_parse.py in _parse, line 671
Python Executable: /home/dave/.virtualenvs/my-project/bin/python
Python Version: 3.8.5
Python Path:

['/home/dave/my-project',

'/home/dave/my-project/django',
'/usr/lib/python38.zip',
'/usr/lib/python3.8',
'/usr/lib/python3.8/lib-dynload',
'/home/dave/.virtualenvs/my-project/lib/python3.8/site-packages']

Server time: Mon, 2 Nov 2020 17:35:25 +0100

[Sydney Logan]

So, a quick google search indicates that the "*" is probably being interpreted as a regex wildcard. And two in a row is probably invalid, leading to the exception being raised.

What happens if you escape the '*' characters, e.g., use querty123\*\*\* instead of querty* ? I'm expecting that doing so would allow for the use of "*' in a password (or trigger some other filtering/error that might be in place that disallows use of "*").

[Mariusz Felisiak]

I cannot reproduce this issue with builtin validators, it looks that it's an issue in a custom password validator. Closing per TicketClosingReasons/UseSupportChannels.