<div><div dir="auto">Indeed, a well known web UX improving feature, very useful one. I hope nobody tries to remove it. </div><div dir="auto"><br></div><div dir="auto">This kind of feature must always be implemented in the client (browser). no server side API should ever try to “sanitize” a password string.</div></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 28 Jan 2020 at 22:14, Albert Braden <<a href="mailto:Albert.Braden@synopsys.com">Albert.Braden@synopsys.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">Stripping leading/trailing spaces from passwords is the correct behavior. Passwords should not contain leading/trailing spaces, and when they do it is usually because of a paste error.<br>
<br>
-----Original Message-----<br>
From: Orestes Leal Rodríguez <<a href="mailto:olealrd1981@gmail.com" target="_blank">olealrd1981@gmail.com</a>> <br>
Sent: Tuesday, January 28, 2020 1:24 PM<br>
To: <a href="mailto:openstack-discuss@lists.openstack.org" target="_blank">openstack-discuss@lists.openstack.org</a><br>
Subject: Re: horizon: Trailing spaces removed on passwords<br>
<br>
I have found a way to solve it and give access to users that have<br>
passwords with spaces at the beginning/end. The issue (not an issue<br>
per se, but it affects horizon [stein]) lies in django. Specifically<br>
on 'django/forms/fields.py'<br>
<br>
Horizon uses the fields and those by default remove spaces as stated,<br>
what I did is the following:<br>
<br>
On that file, the class CharField's constructor was removing<br>
leading/trailing spaces:<br>
Below is the diff between the original and the modified python script<br>
(one line modified, strip=False)<br>
<br>
--- fields.py.orig 2020-01-28 15:16:22.696047918 -0500<br>
+++ fields.py 2020-01-28 15:16:45.520084974 -0500<br>
@@ -220,7 +220,7 @@<br>
<br>
<br>
class CharField(Field):<br>
- def __init__(self, max_length=None, min_length=None, strip=True,<br>
empty_value='', *args, **kwargs):<br>
+ def __init__(self, max_length=None, min_length=None, strip=False,<br>
empty_value='', *args, **kwargs):<br>
self.max_length = max_length<br>
self.min_length = min_length<br>
self.strip = strip<br>
<br>
Now passwords are not altered by the underlying framework. Not sure<br>
the effect of not removing trailing/leading spaces from the textfields<br>
will have on the Horizon operations, though. Maybe horizon should<br>
redefine that django class to avoid this behavior. I'm also open to<br>
other solutions from the community. Have a great evening,<br>
<br>
<br>
Thanks.<br>
Orestes<br>
<br>
On 1/28/20, Orestes Leal Rodríguez <<a href="mailto:olealrd1981@gmail.com" target="_blank">olealrd1981@gmail.com</a>> wrote:<br>
> From the dashboard openstack is removing the trailing spaces from our<br>
> user's passwords.<br>
> We have a modified sql.py backend, that does an ldap bind to an active<br>
> directory data store. And that works almost always. I say almost<br>
> because for some users it doesn't work at all. We figure out (and a<br>
> co-worker also confirmed this) that openstack is removing trailing<br>
> (also leading?) spaces from the password entered in the dashboard.<br>
> Also, inside the dashboard trailing spaces are not accepted even when<br>
> they are equal byte by byte (including the space, I get an error). So<br>
> this is going on.<br>
><br>
> Do anybody knows where is this removal performed? (python script<br>
> location, line) So I can remove that since I have users (me included,<br>
> I have the issue since the very beginning of this deployment) that<br>
> cannot login. And they can use their Active Directrory passwords from<br>
> other apps without problem.<br>
><br>
> We are running 'stein' with the latest update for ubuntu 18.04-AMD64.<br>
><br>
<br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">--<div>/sorin</div></div></div>