Don't use an hardcoded session key

This fixes a trivial authentication bypass, according to https://flask.palletsprojects.com/en/1.1.x/quickstart/#sessions
2020-04-29 13:58:16 +02:00 · 2020-04-29 13:58:16 +02:00 · 523aab2e9e
commit 523aab2e9e
parent 0297823bda
1 changed files with 1 additions and 1 deletions
--- a/cps/init.py
+++ b/cps/init.py
@ -89,7 +89,7 @@ def create_app():
    log.info('Starting Calibre Web...')
    Principal(app)
    lm.init_app(app)
-    app.secret_key = os.getenv('SECRET_KEY', 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT')
+    app.secret_key = os.getenv('SECRET_KEY', os.urandom(32))

    web_server.init_app(app, config)
    db.setup_db(config)