Correction d'une méga faille de sécu

Ajout d'un fail-safe si la clé est celle par défaut
This commit is contained in:
Darks 2019-12-04 12:22:16 +01:00
parent e99e45b4ca
commit f6be314ed7
Signed by: Darks
GPG Key ID: F61F10FA138E797C
3 changed files with 17 additions and 2 deletions

View File

@ -8,6 +8,10 @@ import time
app = Flask(__name__)
app.config.from_object(Config)
# Check security of secret
if Config.SECRET_KEY == "a-random-secret-key":
raise Exception("Please use a strong secret key!")
db = SQLAlchemy(app)
migrate = Migrate(app, db)

View File

@ -1,14 +1,16 @@
import os
import datetime
from local_config import DB_NAME
from local_config import DB_NAME, SECRET_KEY
class Config(object):
SECRET_KEY = os.environ.get('SECRET_KEY') or 'a-random-secret-key'
SECRET_KEY = os.environ.get('SECRET_KEY') or SECRET_KEY
SQLALCHEMY_DATABASE_URI = os.environ.get('DATABASE_URL') or \
'postgresql+psycopg2://' + os.environ.get('USER') + ':@/' + DB_NAME
SQLALCHEMY_TRACK_MODIFICATIONS = False
UPLOAD_FOLDER = './app/static/avatars'
SESSION_COOKIE_SECURE = True
REMEMBER_COOKIE_SECURE = True
class V5Config(object):
@ -27,3 +29,11 @@ class V5Config(object):
THREAD_NAME_MAXLEN = 32
# Remember-me cookie duration time
REMEMBER_COOKIE_DURATION = datetime.timedelta(days=7)
# XP points for content posting (and deletion)
XP_POINTS = {
'topic': 2,
'program': 5,
'tutorial': 5,
'comment': 1,
'contest': 10,
}

View File

@ -2,3 +2,4 @@ DB_NAME = "pcv5"
USE_LDAP = False
LDAP_PASSWORD = "openldap"
LDAP_ORGANIZATION = "o=planet-casio"
SECRET_KEY = "a-random-secret-key" # CHANGE THIS VALUE *NOW*