id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
34654	Post-normalization performed on the Username field leading to the bypass of the whitespace stripping	Sim4n6	George Kussumoto	"**Summary**

In the Django codebase [L74](https://github.com/django/django/blob/a52bdea5a27ba44b13eda93642231c65c581e083/django/contrib/auth/forms.py#L74), when ""strip"" is enabled [L265](https://github.com/django/django/blob/a52bdea5a27ba44b13eda93642231c65c581e083/django/forms/fields.py#L265), the username should not contain any trailing or leading whitespace. However, after stripping those whitespace [L278..L279](https://github.com/django/django/blob/a52bdea5a27ba44b13eda93642231c65c581e083/django/forms/fields.py#L278..L279), normalization is performed. That means stripping whitespaces could be bypassed in the username using similar Unicode characters as ""\u2800""

Take the following case:

    result = unicodedata.normalize(""NFKC"", ""\u2800\u2800sim4n6\u2800\u2800"".strip())

In case, the stripped string ""sim4n6"" contains a leading and trailing whitespace, that would be deleted and work perfectly.
In case, the stripped string ""\u2800\u2800sim4n6\u2800\u2800"" contains similar Unicode characters to the whitespace which could be copied for instance from https://emptycharacter.com. 

**Impact**

There is a security concern regarding including spaces in the username, plus that, the username is attacker-controlled input.
This means the whitespace stripping on the username could be bypassed and a remote user could use unintended white space.


@Sim4n6"	Bug	assigned	contrib.auth	dev	Normal				Accepted	0	0	0	0	0	0