From c9e8eeb69ad6b6fa643473a8d4323c0cc30e7359 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 10 Sep 2024 11:02:30 +0200
Subject: [PATCH] Fix #3425

---
 core/admin/mailu/ui/forms.py      | 12 ++++++++----
 towncrier/newsfragments/3425.misc |  1 +
 2 files changed, 9 insertions(+), 4 deletions(-)
 create mode 100644 towncrier/newsfragments/3425.misc

diff --git a/core/admin/mailu/ui/forms.py b/core/admin/mailu/ui/forms.py
index 798bd923..03a85149 100644
--- a/core/admin/mailu/ui/forms.py
+++ b/core/admin/mailu/ui/forms.py
@@ -9,6 +9,10 @@ import ipaddress
 
 LOCALPART_REGEX = r'^[a-zA-Z0-9!#$%&\'*+/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&\'*+/=?^_`{|}~-]+)*$'
 
+def checkStrippable(data):
+    if data.startswith(' ') or data.endswith(' '):
+        raise ValidationError(_('Passwords should not start or end with whitespaces'))
+
 class DestinationField(fields.SelectMultipleField):
     """ Allow for multiple emails selection from current user choices and
     additional email addresses.
@@ -68,7 +72,7 @@ class DomainForm(flask_wtf.FlaskForm):
 class DomainSignupForm(flask_wtf.FlaskForm):
     name = fields.StringField(_('Domain name'), [validators.DataRequired()])
     localpart = fields.StringField(_('Initial admin'), [validators.DataRequired()])
-    pw = fields.PasswordField(_('Admin password'), [validators.DataRequired()])
+    pw = fields.PasswordField(_('Admin password'), [validators.DataRequired(), checkStrippable])
     pw2 = fields.PasswordField(_('Confirm password'), [validators.EqualTo('pw')])
     pwned = fields.HiddenField(label='', default=-1)
     captcha = flask_wtf.RecaptchaField()
@@ -89,7 +93,7 @@ class RelayForm(flask_wtf.FlaskForm):
 
 class UserForm(flask_wtf.FlaskForm):
     localpart = fields.StringField(_('E-mail'), [validators.DataRequired(), validators.Regexp(LOCALPART_REGEX)])
-    pw = fields.PasswordField(_('Password'))
+    pw = fields.PasswordField(_('Password'), [checkStrippable])
     pw2 = fields.PasswordField(_('Confirm password'), [validators.EqualTo('pw')])
     pwned = fields.HiddenField(label='', default=-1)
     quota_bytes = fields_.IntegerSliderField(_('Quota'), default=10**9)
@@ -105,7 +109,7 @@ class UserForm(flask_wtf.FlaskForm):
 
 class UserSignupForm(flask_wtf.FlaskForm):
     localpart = fields.StringField(_('Email address'), [validators.DataRequired(), validators.Regexp(LOCALPART_REGEX)])
-    pw = fields.PasswordField(_('Password'), [validators.DataRequired()])
+    pw = fields.PasswordField(_('Password'), [validators.DataRequired(), checkStrippable])
     pw2 = fields.PasswordField(_('Confirm password'), [validators.EqualTo('pw')])
     pwned = fields.HiddenField(label='', default=-1)
     submit = fields.SubmitField(_('Sign up'))
@@ -132,7 +136,7 @@ class UserPasswordForm(flask_wtf.FlaskForm):
 
 class UserPasswordChangeForm(flask_wtf.FlaskForm):
     current_pw = fields.PasswordField(_('Current password'), [validators.DataRequired()])
-    pw = fields.PasswordField(_('Password'), [validators.DataRequired()])
+    pw = fields.PasswordField(_('Password'), [validators.DataRequired(), checkStrippable])
     pw2 = fields.PasswordField(_('Password check'), [validators.DataRequired()])
     pwned = fields.HiddenField(label='', default=-1)
     submit = fields.SubmitField(_('Update password'))
diff --git a/towncrier/newsfragments/3425.misc b/towncrier/newsfragments/3425.misc
new file mode 100644
index 00000000..9d7750fe
--- /dev/null
+++ b/towncrier/newsfragments/3425.misc
@@ -0,0 +1 @@
+Warn if passwords set from the UI contain leading or trailing whitespaces (see #3425)