horizon: Trailing spaces removed on passwords

Sorin Sbarnea ssbarnea at redhat.com
Wed Jan 29 06:44:50 UTC 2020


Indeed, a well known web UX improving feature, very useful one. I hope
nobody tries to remove it.

This kind of feature must always be implemented in the client (browser). no
server side API should ever try to “sanitize” a password string.

On Tue, 28 Jan 2020 at 22:14, Albert Braden <Albert.Braden at synopsys.com>
wrote:

> Stripping leading/trailing spaces from passwords is the correct behavior.
> Passwords should not contain leading/trailing spaces, and when they do it
> is usually because of a paste error.
>
> -----Original Message-----
> From: Orestes Leal Rodríguez <olealrd1981 at gmail.com>
> Sent: Tuesday, January 28, 2020 1:24 PM
> To: openstack-discuss at lists.openstack.org
> Subject: Re: horizon: Trailing spaces removed on passwords
>
> I have found a way to solve it and give access to users that have
> passwords with spaces at the beginning/end. The issue (not an issue
> per se, but it affects horizon [stein]) lies in django. Specifically
> on 'django/forms/fields.py'
>
> Horizon uses the fields and those by default remove spaces as stated,
> what I did is the following:
>
> On that file, the class CharField's constructor was removing
> leading/trailing spaces:
> Below is the diff between the original and the modified python script
> (one line modified, strip=False)
>
> --- fields.py.orig      2020-01-28 15:16:22.696047918 -0500
> +++ fields.py   2020-01-28 15:16:45.520084974 -0500
> @@ -220,7 +220,7 @@
>
>
>  class CharField(Field):
> -    def __init__(self, max_length=None, min_length=None, strip=True,
> empty_value='', *args, **kwargs):
> +    def __init__(self, max_length=None, min_length=None, strip=False,
> empty_value='', *args, **kwargs):
>          self.max_length = max_length
>          self.min_length = min_length
>          self.strip = strip
>
> Now passwords are not altered by the underlying framework. Not sure
> the effect of not removing trailing/leading spaces from the textfields
> will have on the Horizon operations, though. Maybe horizon should
> redefine that django class to avoid this behavior. I'm also open to
> other solutions from the community. Have a great evening,
>
>
> Thanks.
> Orestes
>
> On 1/28/20, Orestes Leal Rodríguez <olealrd1981 at gmail.com> wrote:
> > From the dashboard openstack is removing the trailing spaces from our
> > user's passwords.
> > We have a modified sql.py backend, that does an ldap bind to an active
> > directory data store. And that works almost always. I say almost
> > because for some users it doesn't work at all. We figure out (and a
> > co-worker also confirmed this) that openstack is removing trailing
> > (also leading?) spaces from the password entered in the dashboard.
> > Also, inside the dashboard trailing spaces are not accepted even when
> > they are equal byte by byte (including the space, I get an error). So
> > this is going on.
> >
> > Do anybody knows where is this removal performed? (python script
> > location, line) So I can remove that since I have users (me included,
> > I have the issue since the very beginning of this deployment) that
> > cannot login. And they can use their Active Directrory passwords from
> > other apps without problem.
> >
> > We are running 'stein' with the latest update for ubuntu 18.04-AMD64.
> >
>
> --
--
/sorin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200129/0f9e65a6/attachment.html>


More information about the openstack-discuss mailing list