Passwords containing all spaces are allowed

Looks to me like this is due to a bug in core: Without Password Policy installed, if you save a password with all spaces, Drupal treats the password field the same as if it were empty and does not update the password.

If you save a password of, say, four spaces, Password Policy sees the empty string for the password (in hook_user_update()). Password Policy cannot validate a password it cannot see.

There is no security implication for Password Policy because it seems users cannot actually save passwords that violate the constraints. Drupal just gives the appearance that a user is able to save a password violating the constraints. (Please correct me if wrong.) Therefore, downgrading the priority of this issue to Minor.

Will open a bug on core, if none already exists.

Relevant core issue:
https://drupal.org/node/1921576

Drupal removing leading/trailing spaces causes the Password Policy JavaScript indication of which password requirements have been met to be incorrect. If you have a minimum character count of 5, and you use the password "abcd ", all seems fine until you press Save.

Since it sounds like Drupal will keep the behavior of stripping leading/trailing spaces, probably the Password Policy JavaScript should also strip leading/trailing spaces before evaluating constraints.

Candidate fix. Does the following:
1. Trims password input prior to evaluating constraints. This makes the JavaScript validation consistent with the form validation.
2. Warns the user that the password will not actually be saved when it contains all spaces.
3. Notifies the user when whitespace is being trimmed from the password input. This is intended to eliminate confusion when their input is, say, "abcd ", but Password Policy complains that the password must be five characters.

The code itself would need simplification and perhaps forward porting, but I was hoping the concept/functionality of the fix could be reviewed first.

Just to be clear, while there is an open core issue, Password Policy has bugs in the handling of leading and trailing spaces independent of that issue, which my previously posted patch fixes. The core issue will not fix these bugs.

For instance, even if Drupal core warned a user that leading/trailing spaces were stripped from their saved password, as the linked core issue proposes, the Password Policy JavaScript constraints checking would still be incorrect.

This is a low-risk change that fixes a clear bug, and I'm not sure anyone is going to test the patch, so went ahead and committed/pushed.

Needs porting to 6.x-1.x.

Screenshots of new cases handled by JavaScript in D6.

Reverted 7.x-1.x commit because a few things need improvement.

D6 patch that goes with screenshots above.

New D7.1 patch. Same behavior as D6 patch in #11.

The JavaScript messages are needed because the user may otherwise not know why their password is not meeting the constraints. For example, without the messages, the minimum password length could be 5, the user enters a password of 5 characters with a leading space, and the JavaScript validation confusingly reports the password does not the minimum length of 5.

Accidentally pushed the fix when pushing an unrelated fix for the 7.x-2.x branch. I wanted to give some time for review, but oh well, let's go with it.

Implemented the same handling of leading/trailing spaces in 7.x-2.x as with 7.x-1.x and 6.x-1.x.

However, I realized a problem with the current implementation:
A warning is given when a password passes all constraints, but has leading and/or trailing spaces. (The thought was a user might be misled into believing leading and/or trailing spaces are being saved as a part of their password.) In order for that warning to be displayed, a non-100 strength must be given for the password. This causes the meter to not be full, which is misleading. The password meets all constraints so should be given full strength.

The warning about leading/trailing spaces is really only needed when constraints are failing, so a fix is to just remove it for the case when all constraints are passing.

Changed to only warn about leading/trailing spaces when constraints unmet:

6.x-1.x: http://drupalcode.org/project/password_policy.git/commit/867973c
7.x-1.x: http://drupalcode.org/project/password_policy.git/commit/1002e4d
7.x-2.x: http://drupalcode.org/project/password_policy.git/commit/1426125