From d0fe6c915665fa3220e84bd691ba7002a357e5c5 Mon Sep 17 00:00:00 2001
From: Vincenzo Pandolfo <pandolfovince@gmail.com>
Date: Mon, 14 Mar 2016 20:21:05 +0000
Subject: [PATCH] Fixed #26334 -- Removed whitespace stripping from
 contrib.auth password fields.

---
 django/contrib/auth/forms.py   |  9 +++++-
 docs/releases/1.9.5.txt        |  6 ++++
 tests/auth_tests/test_forms.py | 56 ++++++++++++++++++++++++++++++++++
 3 files changed, 70 insertions(+), 1 deletion(-)

diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
index 1e86ece25d0..4485e1fb14e 100644
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -69,9 +69,11 @@ class UserCreationForm(forms.ModelForm):
         'password_mismatch': _("The two password fields didn't match."),
     }
     password1 = forms.CharField(label=_("Password"),
+        strip=False,
         widget=forms.PasswordInput)
     password2 = forms.CharField(label=_("Password confirmation"),
         widget=forms.PasswordInput,
+        strip=False,
         help_text=_("Enter the same password as before, for verification."))
 
     class Meta:
@@ -134,7 +136,7 @@ class AuthenticationForm(forms.Form):
         max_length=254,
         widget=forms.TextInput(attrs={'autofocus': ''}),
     )
-    password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
+    password = forms.CharField(label=_("Password"), strip=False, widget=forms.PasswordInput)
 
     error_messages = {
         'invalid_login': _("Please enter a correct %(username)s and password. "
@@ -276,8 +278,10 @@ class SetPasswordForm(forms.Form):
     }
     new_password1 = forms.CharField(label=_("New password"),
                                     widget=forms.PasswordInput,
+                                    strip=False,
                                     help_text=password_validation.password_validators_help_text_html())
     new_password2 = forms.CharField(label=_("New password confirmation"),
+                                    strip=False,
                                     widget=forms.PasswordInput)
 
     def __init__(self, user, *args, **kwargs):
@@ -315,6 +319,7 @@ class PasswordChangeForm(SetPasswordForm):
     })
     old_password = forms.CharField(
         label=_("Old password"),
+        strip=False,
         widget=forms.PasswordInput(attrs={'autofocus': ''}),
     )
 
@@ -344,11 +349,13 @@ class AdminPasswordChangeForm(forms.Form):
     password1 = forms.CharField(
         label=_("Password"),
         widget=forms.PasswordInput(attrs={'autofocus': ''}),
+        strip=False,
         help_text=password_validation.password_validators_help_text_html(),
     )
     password2 = forms.CharField(
         label=_("Password (again)"),
         widget=forms.PasswordInput,
+        strip=False,
         help_text=_("Enter the same password as before, for verification."),
     )
 
diff --git a/docs/releases/1.9.5.txt b/docs/releases/1.9.5.txt
index 55fd794d789..7e8efb6fec8 100644
--- a/docs/releases/1.9.5.txt
+++ b/docs/releases/1.9.5.txt
@@ -19,3 +19,9 @@ Bugfixes
 
 * Fixed data loss on SQLite where ``DurationField`` values with fractional
   seconds could be saved as ``None`` (:ticket:`26324`).
+
+* The forms in ``contrib.auth`` no longer strip trailing and leading whitespace
+  from the password fields (:ticket:`26334`). The change requires users who set
+  their password to something with such whitespace after a site updated to
+  Django 1.9 to reset their password. It provides backwards-compatibility for
+  earlier versions of Django.
diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
index c0afe2912d0..6172c44783f 100644
--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
@@ -139,6 +139,17 @@ class UserCreationFormTest(TestDataMixin, TestCase):
         form = CustomUserCreationForm(data)
         self.assertTrue(form.is_valid())
 
+    def test_password_whitespace_not_stripped(self):
+        data = {
+            'username': 'testuser',
+            'password1': '   testpassword   ',
+            'password2': '   testpassword   ',
+        }
+        form = UserCreationForm(data)
+        self.assertTrue(form.is_valid())
+        self.assertEqual(form.cleaned_data['password1'], data['password1'])
+        self.assertEqual(form.cleaned_data['password2'], data['password2'])
+
 
 class AuthenticationFormTest(TestDataMixin, TestCase):
 
@@ -248,6 +259,15 @@ class AuthenticationFormTest(TestDataMixin, TestCase):
         form = CustomAuthenticationForm()
         self.assertEqual(form.fields['username'].label, "")
 
+    def test_password_whitespace_not_stripped(self):
+        data = {
+            'username': 'testuser',
+            'password': ' pass ',
+        }
+        form = AuthenticationForm(None, data)
+        form.is_valid()  # Not necessary to have valid credentails for the test.
+        self.assertEqual(form.cleaned_data['password'], data['password'])
+
 
 class SetPasswordFormTest(TestDataMixin, TestCase):
 
@@ -298,6 +318,17 @@ class SetPasswordFormTest(TestDataMixin, TestCase):
             form["new_password2"].errors
         )
 
+    def test_password_whitespace_not_stripped(self):
+        user = User.objects.get(username='testclient')
+        data = {
+            'new_password1': '   password   ',
+            'new_password2': '   password   ',
+        }
+        form = SetPasswordForm(user, data)
+        self.assertTrue(form.is_valid())
+        self.assertEqual(form.cleaned_data['new_password1'], data['new_password1'])
+        self.assertEqual(form.cleaned_data['new_password2'], data['new_password2'])
+
 
 class PasswordChangeFormTest(TestDataMixin, TestCase):
 
@@ -348,6 +379,20 @@ class PasswordChangeFormTest(TestDataMixin, TestCase):
         self.assertEqual(list(PasswordChangeForm(user, {}).fields),
                          ['old_password', 'new_password1', 'new_password2'])
 
+    def test_password_whitespace_not_stripped(self):
+        user = User.objects.get(username='testclient')
+        user.set_password('   oldpassword   ')
+        data = {
+            'old_password': '   oldpassword   ',
+            'new_password1': ' pass ',
+            'new_password2': ' pass ',
+        }
+        form = PasswordChangeForm(user, data)
+        self.assertTrue(form.is_valid())
+        self.assertEqual(form.cleaned_data['old_password'], data['old_password'])
+        self.assertEqual(form.cleaned_data['new_password1'], data['new_password1'])
+        self.assertEqual(form.cleaned_data['new_password2'], data['new_password2'])
+
 
 class UserChangeFormTest(TestDataMixin, TestCase):
 
@@ -635,3 +680,14 @@ class AdminPasswordChangeFormTest(TestDataMixin, TestCase):
         self.assertEqual(password_changed.call_count, 0)
         form.save()
         self.assertEqual(password_changed.call_count, 1)
+
+    def test_password_whitespace_not_stripped(self):
+        user = User.objects.get(username='testclient')
+        data = {
+            'password1': ' pass ',
+            'password2': ' pass ',
+        }
+        form = AdminPasswordChangeForm(user, data)
+        self.assertTrue(form.is_valid())
+        self.assertEqual(form.cleaned_data['password1'], data['password1'])
+        self.assertEqual(form.cleaned_data['password2'], data['password2'])