Don't use an hardcoded session key
This fixes a trivial authentication bypass, according to https://flask.palletsprojects.com/en/1.1.x/quickstart/#sessions
This commit is contained in:
parent
0297823bda
commit
523aab2e9e
|
@ -89,7 +89,7 @@ def create_app():
|
|||
log.info('Starting Calibre Web...')
|
||||
Principal(app)
|
||||
lm.init_app(app)
|
||||
app.secret_key = os.getenv('SECRET_KEY', 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT')
|
||||
app.secret_key = os.getenv('SECRET_KEY', os.urandom(32))
|
||||
|
||||
web_server.init_app(app, config)
|
||||
db.setup_db(config)
|
||||
|
|
Loading…
Reference in New Issue
Block a user