From 523aab2e9e2f8eb712e57ba627f21a9c83720f98 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Wed, 29 Apr 2020 13:58:16 +0200 Subject: [PATCH] Don't use an hardcoded session key This fixes a trivial authentication bypass, according to https://flask.palletsprojects.com/en/1.1.x/quickstart/#sessions --- cps/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cps/__init__.py b/cps/__init__.py index 15820b86..9d7f8a9b 100755 --- a/cps/__init__.py +++ b/cps/__init__.py @@ -89,7 +89,7 @@ def create_app(): log.info('Starting Calibre Web...') Principal(app) lm.init_app(app) - app.secret_key = os.getenv('SECRET_KEY', 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT') + app.secret_key = os.getenv('SECRET_KEY', os.urandom(32)) web_server.init_app(app, config) db.setup_db(config)