Don't use an hardcoded session key

This fixes a trivial authentication bypass,
according to https://flask.palletsprojects.com/en/1.1.x/quickstart/#sessions
This commit is contained in:
jvoisin 2020-04-29 13:58:16 +02:00
parent 0297823bda
commit 523aab2e9e

View File

@ -89,7 +89,7 @@ def create_app():
log.info('Starting Calibre Web...')
Principal(app)
lm.init_app(app)
app.secret_key = os.getenv('SECRET_KEY', 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT')
app.secret_key = os.getenv('SECRET_KEY', os.urandom(32))
web_server.init_app(app, config)
db.setup_db(config)