diff --git a/common/djangoapps/util/password_policy_validators.py b/common/djangoapps/util/password_policy_validators.py index b1ac096703..6369abb643 100644 --- a/common/djangoapps/util/password_policy_validators.py +++ b/common/djangoapps/util/password_policy_validators.py @@ -91,9 +91,17 @@ def password_validators_restrictions(): def normalize_password(password): """ + Converts the password to utf-8 if it is not unicode already. Normalize all passwords to 'NFKC' across the platform to prevent mismatched hash strings when comparing entered passwords on login. See LEARNER-4283 for more context. """ + if not isinstance(password, text_type): + try: + # some checks rely on unicode semantics (e.g. length) + password = text_type(password, encoding='utf8') + except UnicodeDecodeError: + # no reason to get into weeds + raise ValidationError([_('Invalid password.')]) return unicodedata.normalize('NFKC', password) @@ -101,7 +109,7 @@ def validate_password(password, user=None): """ EdX's custom password validator for passwords. This function performs the following functions: - 1) Converts the password to unicode if it is not already + 1) Normalizes the password according to NFKC unicode standard 2) Calls Django's validate_password method. This calls the validate function in all validators specified in AUTH_PASSWORD_VALIDATORS configuration. @@ -114,8 +122,7 @@ def validate_password(password, user=None): None Raises: - ValidationError if unable to convert password to utf8 or if any of the - password validators fail. + ValidationError if any of the password validators fail. """ if not isinstance(password, text_type): try: diff --git a/openedx/core/djangoapps/user_api/accounts/utils.py b/openedx/core/djangoapps/user_api/accounts/utils.py index d2b5cdd602..2d9c16fea1 100644 --- a/openedx/core/djangoapps/user_api/accounts/utils.py +++ b/openedx/core/djangoapps/user_api/accounts/utils.py @@ -1,6 +1,8 @@ """ Utility methods for the account settings. """ +from __future__ import unicode_literals + import random import re import string