Opened 4 months ago

Closed 4 months ago

Last modified 4 months ago

#36400 closed Bug (needsinfo)

CommonPasswordValidator fails on plaintext list of common passwords

Reported by: tpazderka Owned by:
Component: contrib.auth Version: 5.1
Severity: Normal Keywords:
Cc: tpazderka Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

As per documentation, the file that is passed to the CommonPassowrodValidator can be either plaintext or gzipped.

We have been using plaintext version which worked previously, but stopped working after upgrade to 5.1.9 with the following stacktrace:

File "/app/venv/lib/python3.13/site-packages/django/contrib/auth/password_validation.py", line 237, in __init__                                                                                                    
    self.passwords = {x.strip() for x in f}                                                                                                                                                                          
                                         ^                                                                                                                                                                           
  File "/usr/local/lib/python3.13/gzip.py", line 353, in read1                                                                                                                                                       
    return self._buffer.read1(size)                                                                                                                                                                                  
           ~~~~~~~~~~~~~~~~~~^^^^^^                                                                                                                                                                                  
  File "/usr/local/lib/python3.13/_compression.py", line 68, in readinto                                                                                                                                             
    data = self.read(len(byte_view))                                                                                                                                                                                 
  File "/usr/local/lib/python3.13/gzip.py", line 546, in read                                                                                                                                                        
    if not self._read_gzip_header():                                                                                                                                                                                 
           ~~~~~~~~~~~~~~~~~~~~~~^^                                                                                                                                                                                  
  File "/usr/local/lib/python3.13/gzip.py", line 515, in _read_gzip_header                                                                                                                                           
    last_mtime = _read_gzip_header(self._fp)                                                                                                                                                                         
  File "/usr/local/lib/python3.13/gzip.py", line 475, in _read_gzip_header                                                                                                                                           
    raise BadGzipFile('Not a gzipped file (%r)' % magic)                                                                                                                                                             
gzip.BadGzipFile: Not a gzipped file (b'pa')

Taking the same file and running it through gzip common-passwords.txt fixes the issue.

Python version: 3.13.3
Django version: 5.1.9

Change History (2)

comment:1 by Tim Graham, 4 months ago

Resolution: needsinfo
Status: newclosed

I'm not sure why this is giving you trouble. There's a test for this in Django's test suite.

The code that raises the exception is wrapped in try/except OSError and

>>> isinstance(BadGzipFile(), OSError)
True

I'm skeptical that Django is at fault. What version of Django worked previously for you? Are you sure that's the only difference?

comment:2 by tpazderka, 4 months ago

Yes, I couldn't understand it either as I saw the try ... except and that the raised exception is of the correct class.

I am out of office this week, so I will get you more info next week and can try to troubleshoot and see if I can reproduce it locally instead of in our docker image, had no time to do that on Friday.

If I am not mistaken, we were on 4.1.X and Python 3.12.X.
It wasn't the only change as we have updated all the python packages.
We haven't touched anything close to passwords and or configuration of validators/passwords.

Note: See TracTickets for help on using tickets.
Back to Top