#36400 closed Bug (needsinfo)
CommonPasswordValidator fails on plaintext list of common passwords
| Reported by: | tpazderka | Owned by: | |
|---|---|---|---|
| Component: | contrib.auth | Version: | 5.1 |
| Severity: | Normal | Keywords: | |
| Cc: | tpazderka | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
As per documentation, the file that is passed to the CommonPassowrodValidator can be either plaintext or gzipped.
We have been using plaintext version which worked previously, but stopped working after upgrade to 5.1.9 with the following stacktrace:
File "/app/venv/lib/python3.13/site-packages/django/contrib/auth/password_validation.py", line 237, in __init__
self.passwords = {x.strip() for x in f}
^
File "/usr/local/lib/python3.13/gzip.py", line 353, in read1
return self._buffer.read1(size)
~~~~~~~~~~~~~~~~~~^^^^^^
File "/usr/local/lib/python3.13/_compression.py", line 68, in readinto
data = self.read(len(byte_view))
File "/usr/local/lib/python3.13/gzip.py", line 546, in read
if not self._read_gzip_header():
~~~~~~~~~~~~~~~~~~~~~~^^
File "/usr/local/lib/python3.13/gzip.py", line 515, in _read_gzip_header
last_mtime = _read_gzip_header(self._fp)
File "/usr/local/lib/python3.13/gzip.py", line 475, in _read_gzip_header
raise BadGzipFile('Not a gzipped file (%r)' % magic)
gzip.BadGzipFile: Not a gzipped file (b'pa')
Taking the same file and running it through gzip common-passwords.txt fixes the issue.
Python version: 3.13.3
Django version: 5.1.9
Change History (2)
comment:1 by , 4 months ago
| Resolution: | → needsinfo |
|---|---|
| Status: | new → closed |
comment:2 by , 4 months ago
Yes, I couldn't understand it either as I saw the try ... except and that the raised exception is of the correct class.
I am out of office this week, so I will get you more info next week and can try to troubleshoot and see if I can reproduce it locally instead of in our docker image, had no time to do that on Friday.
If I am not mistaken, we were on 4.1.X and Python 3.12.X.
It wasn't the only change as we have updated all the python packages.
We haven't touched anything close to passwords and or configuration of validators/passwords.
I'm not sure why this is giving you trouble. There's a test for this in Django's test suite.
The code that raises the exception is wrapped in
try/except OSErrorandI'm skeptical that Django is at fault. What version of Django worked previously for you? Are you sure that's the only difference?