{
  "instance_id": "django__django-11099",
  "repo": "django/django",
  "created_at": "2019-03-20T03:46:18Z",
  "problem_statement": "UsernameValidator allows trailing newline in usernames\nDescription\n\t\nASCIIUsernameValidator and UnicodeUsernameValidator use the regex \nr'^[\\w.@+-]+$'\nThe intent is to only allow alphanumeric characters as well as ., @, +, and -. However, a little known quirk of Python regexes is that $ will also match a trailing newline. Therefore, the user name validators will accept usernames which end with a newline. You can avoid this behavior by instead using \\A and \\Z to terminate regexes. For example, the validator regex could be changed to\nr'\\A[\\w.@+-]+\\Z'\nin order to reject usernames that end with a newline.\nI am not sure how to officially post a patch, but the required change is trivial - using the regex above in the two validators in contrib.auth.validators.\n",
  "patch": "diff --git a/django/contrib/auth/validators.py b/django/contrib/auth/validators.py\n--- a/django/contrib/auth/validators.py\n+++ b/django/contrib/auth/validators.py\n@@ -7,7 +7,7 @@\n \n @deconstructible\n class ASCIIUsernameValidator(validators.RegexValidator):\n-    regex = r'^[\\w.@+-]+$'\n+    regex = r'^[\\w.@+-]+\\Z'\n     message = _(\n         'Enter a valid username. This value may contain only English letters, '\n         'numbers, and @/./+/-/_ characters.'\n@@ -17,7 +17,7 @@ class ASCIIUsernameValidator(validators.RegexValidator):\n \n @deconstructible\n class UnicodeUsernameValidator(validators.RegexValidator):\n-    regex = r'^[\\w.@+-]+$'\n+    regex = r'^[\\w.@+-]+\\Z'\n     message = _(\n         'Enter a valid username. This value may contain only letters, '\n         'numbers, and @/./+/-/_ characters.'\n",
  "similar_bug_items": [
    {
      "pr_number": 7471,
      "pr_title": "Fixed #26812 -- Check only path with APPEND_SLASH enabled",
      "pr_body": "",
      "issue_id": 26812,
      "issue_title": "APPEND_SLASH doesn't work with URLs that have query strings",
      "issue_body": "",
      "issue_closed_at": "2016-11-06T03:38:42",
      "base_commit": "b741fe397aa567dd43d3e9dbd9fb5ecca6eab412",
      "changes": [
        {
          "file": "django/middleware/common.py",
          "type": "function",
          "name": "should_redirect_with_slash",
          "class_name": "CommonMiddleware",
          "code": "def should_redirect_with_slash(self, request):\n        \"\"\"\n        Return True if settings.APPEND_SLASH is True and appending a slash to\n        the request path turns an invalid path into a valid one.\n        \"\"\"\n        if settings.APPEND_SLASH and not request.get_full_path().endswith('/'):\n            urlconf = getattr(request, 'urlconf', None)\n            return (\n                not is_valid_path(request.path_info, urlconf) and\n                is_valid_path('%s/' % request.path_info, urlconf)\n            )\n        return False"
        }
      ]
    },
    {
      "pr_number": 4204,
      "pr_title": "Fixed #24395 -- Ensured inline ModelsForms have an updated related instance.",
      "pr_body": "",
      "issue_id": 24395,
      "issue_title": "Cannot reference FK relation from inline ModelForm.save()",
      "issue_body": "",
      "issue_closed_at": "2015-02-24T10:46:57",
      "base_commit": "8e129b42ad9c9adca599228ae2ad68271fa46d44",
      "changes": [
        {
          "file": "django/forms/models.py",
          "type": "function",
          "name": "get_default_prefix",
          "class_name": "BaseInlineFormSet",
          "code": "def get_default_prefix(cls):\n        return cls.fk.rel.get_accessor_name(model=cls.model).replace('+', '')"
        }
      ]
    },
    {
      "pr_number": 10277,
      "pr_title": "Fixed #29612 -- Add prefetch_related() cache invalidation for Generic Relations",
      "pr_body": "Ticket: https://code.djangoproject.com/ticket/29612\r\n\r\nNot sure if I need documentation for this, as the current docs seem to imply that this is the case anyway.",
      "issue_id": 29612,
      "issue_title": "Add prefetch_related() cache invalidation for GenericRelations",
      "issue_body": "",
      "issue_closed_at": "2018-08-17T14:21:37",
      "base_commit": "bf17f5e88466e3f571065345f5b2fea0d8af89fe",
      "changes": [
        {
          "file": "django/contrib/contenttypes/fields.py",
          "type": "function",
          "name": "_apply_rel_filters",
          "class_name": "GenericRelatedObjectManager",
          "code": "def _apply_rel_filters(self, queryset):\n            \"\"\"\n            Filter the queryset for the instance this manager is bound to.\n            \"\"\"\n            db = self._db or router.db_for_read(self.model, instance=self.instance)\n            return queryset.using(db).filter(**self.core_filters)"
        },
        {
          "file": "django/contrib/contenttypes/fields.py",
          "type": "function",
          "name": "get_prefetch_queryset",
          "class_name": "GenericRelatedObjectManager",
          "code": "def get_prefetch_queryset(self, instances, queryset=None):\n            if queryset is None:\n                queryset = super().get_queryset()\n\n            queryset._add_hints(instance=instances[0])\n            queryset = queryset.using(queryset._db or self._db)\n\n            query = {\n                '%s__pk' % self.content_type_field_name: self.content_type.id,\n                '%s__in' % self.object_id_field_name: {obj.pk for obj in instances}\n            }\n\n            # We (possibly) need to convert object IDs to the type of the\n            # instances' PK in order to match up instances:\n            object_id_converter = instances[0]._meta.pk.to_python\n            return (\n                queryset.filter(**query),\n                lambda relobj: object_id_converter(getattr(relobj, self.object_id_field_name)),\n                lambda obj: obj.pk,\n                False,\n                self.prefetch_cache_name,\n                False,\n            )"
        },
        {
          "file": "django/contrib/contenttypes/fields.py",
          "type": "function",
          "name": "clear",
          "class_name": "GenericRelatedObjectManager",
          "code": "def clear(self, *, bulk=True):\n            self._clear(self, bulk)"
        },
        {
          "file": "django/contrib/contenttypes/fields.py",
          "type": "function",
          "name": "set",
          "class_name": "GenericRelatedObjectManager",
          "code": "def set(self, objs, *, bulk=True, clear=False):\n            # Force evaluation of `objs` in case it's a queryset whose value\n            # could be affected by `manager.clear()`. Refs #19816.\n            objs = tuple(objs)\n\n            db = router.db_for_write(self.model, instance=self.instance)\n            with transaction.atomic(using=db, savepoint=False):\n                if clear:\n                    self.clear()\n                    self.add(*objs, bulk=bulk)\n                else:\n                    old_objs = set(self.using(db).all())\n                    new_objs = []\n                    for obj in objs:\n                        if obj in old_objs:\n                            old_objs.remove(obj)\n                        else:\n                            new_objs.append(obj)\n\n                    self.remove(*old_objs)\n                    self.add(*new_objs, bulk=bulk)"
        }
      ]
    },
    {
      "pr_number": 4462,
      "pr_title": "Fixed #24578 -- Fixed crash with QuerySet.update() on FK to O2O fields.",
      "pr_body": "",
      "issue_id": 24578,
      "issue_title": "prepare_database_save breaks some OneToOneField's in 1.8",
      "issue_body": "",
      "issue_closed_at": "2015-04-09T07:21:57",
      "base_commit": "20a98d863f00fc48f9c7fd783d8d0539c6be41f5",
      "changes": [
        {
          "file": "django/db/models/base.py",
          "type": "function",
          "name": "_get_next_or_previous_in_order",
          "class_name": "Model",
          "code": "def _get_next_or_previous_in_order(self, is_next):\n        cachename = \"__%s_order_cache\" % is_next\n        if not hasattr(self, cachename):\n            op = 'gt' if is_next else 'lt'\n            order = '_order' if is_next else '-_order'\n            order_field = self._meta.order_with_respect_to\n            obj = self._default_manager.filter(**{\n                order_field.name: getattr(self, order_field.attname)\n            }).filter(**{\n                '_order__%s' % op: self._default_manager.values('_order').filter(**{\n                    self._meta.pk.name: self.pk\n                })\n            }).order_by(order)[:1].get()\n            setattr(self, cachename, obj)\n        return getattr(self, cachename)"
        }
      ]
    },
    {
      "pr_number": 8629,
      "pr_title": "Fixed #28293 -- Fixed union(), intersection(), and difference() when combining with an EmptyQuerySet.",
      "pr_body": "https://code.djangoproject.com/ticket/28293",
      "issue_id": 28293,
      "issue_title": "QuerySet.union(QuerySet.none()) results in an empty queryset, should be the original queryset",
      "issue_body": "",
      "issue_closed_at": "2017-06-13T01:16:29",
      "base_commit": "9dc83c356d363c090f3351c908cad6f823aeb7bf",
      "changes": [
        {
          "file": "django/db/models/query.py",
          "type": "function",
          "name": "_combinator_query",
          "class_name": "QuerySet",
          "code": "def _combinator_query(self, combinator, *other_qs, all=False):\n        # Clone the query to inherit the select list and everything\n        clone = self._clone()\n        # Clear limits and ordering so they can be reapplied\n        clone.query.clear_ordering(True)\n        clone.query.clear_limits()\n        clone.query.combined_queries = (self.query,) + tuple(qs.query for qs in other_qs)\n        clone.query.combinator = combinator\n        clone.query.combinator_all = all\n        return clone"
        },
        {
          "file": "django/db/models/sql/compiler.py",
          "type": "function",
          "name": "get_combinator_sql",
          "class_name": "SQLCompiler",
          "code": "def get_combinator_sql(self, combinator, all):\n        features = self.connection.features\n        compilers = [\n            query.get_compiler(self.using, self.connection)\n            for query in self.query.combined_queries\n        ]\n        if not features.supports_slicing_ordering_in_compound:\n            for query, compiler in zip(self.query.combined_queries, compilers):\n                if query.low_mark or query.high_mark:\n                    raise DatabaseError('LIMIT/OFFSET not allowed in subqueries of compound statements.')\n                if compiler.get_order_by():\n                    raise DatabaseError('ORDER BY not allowed in subqueries of compound statements.')\n        parts = (compiler.as_sql() for compiler in compilers)\n        combinator_sql = self.connection.ops.set_operators[combinator]\n        if all and combinator == 'union':\n            combinator_sql += ' ALL'\n        braces = '({})' if features.supports_slicing_ordering_in_compound else '{}'\n        sql_parts, args_parts = zip(*((braces.format(sql), args) for sql, args in parts))\n        result = [' {} '.format(combinator_sql).join(sql_parts)]\n        params = []\n        for part in args_parts:\n            params.extend(part)\n        return result, params"
        }
      ]
    }
  ]
}