Fixed #29952 -- Lowercased all passwords in contrib.auth's auth/common-passwords.txt.gz.

django/contrib/auth/password_validation.py

@@ -161,9 +161,11 @@ class CommonPasswordValidator:
     """
     Validate whether the password is a common password.
 
-    The password is rejected if it occurs in a provided list, which may be gzipped.
+    The password is rejected if it occurs in a provided list of passwords,
-    The list Django ships with contains 20000 common passwords, created by
+    which may be gzipped. The list Django ships with contains 20000 common
-    Royce Williams: https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7
+    passwords (lowercased and deduplicated), created by Royce Williams:
+    https://gist.github.com/roycewilliams/281ce539915a947a23db17137d91aeb7
+    The password list must be lowercased to match the comparison in validate().
     """
     DEFAULT_PASSWORD_LIST_PATH = Path(__file__).resolve().parent / 'common-passwords.txt.gz'
 

docs/releases/2.1.4.txt

@@ -9,4 +9,6 @@ Django 2.1.4 fixes several bugs in 2.1.3.
 Bugfixes
 ========
 
-* ...
+* Corrected the default password list that ``CommonPasswordValidator`` uses by
+  lowercasing all passwords to match the format expected by the validator
+  (:ticket:`29952`).

tests/auth_tests/test_validators.py

@@ -202,6 +202,11 @@ class CommonPasswordValidatorTest(TestCase):
         self.assertEqual(cm.exception.messages, [expected_error])
         self.assertEqual(cm.exception.error_list[0].code, 'password_too_common')
 
+    def test_validate_django_supplied_file(self):
+        validator = CommonPasswordValidator()
+        for password in validator.passwords:
+            self.assertEqual(password, password.lower())
+
     def test_help_text(self):
         self.assertEqual(
             CommonPasswordValidator().get_help_text(),