Prerequisite
Have a password with extended ASCII characters. e.g.:
kyæöéXÛË£(WM|¯þUÂ'«þèèT-WøyÚãÍ:#6LÛÉÿÑL_ÕjF¯÷p1frÖ"µgû»õ¢|Õ¯2Ë·¤¯>ÑÈTBð4.3>©Y_y@Òç5#6m"såIaö¼³à%ùêôtÌEâÄÂâ|®Zósèà%[¾ÃúÔàê¼c®Aë^ß
When:
- Go to “edit” in my settings.
- I enter my current password to change it (which I know is correct, as I could log in seconds ago)
- I enter “New password” and the confirmation.
- I click “Change Password”
Expected Behaviour
The password changes
Current behaviour
The current password is invalid.
My running hypothesis is that every form that is not the main login is sending the password note encoded with the appropriate encoding.
This is what I think is happening:
> urllib.parse.quote_plus(u"£".encode("latin-1"))
'%A3'
> urllib.parse.quote_plus(u"£")
'%C2%A3'