Fix: no-random secret key generation and XSS vulnerability

2023-06-18 19:44:19 +08:00 · 2023-06-18 19:44:19 +08:00 · f01c334827
parent 708a6a2821
commit f01c334827
2 changed files with 13 additions and 1 deletions
--- a/app/admin_service.py
+++ b/app/admin_service.py
@ -56,6 +56,7 @@ def article():
    
    _articles = get_page_articles(_cur_page, _page_size)
    for article in _articles:   # 获取每篇文章的title
+        article = escape(article)
        article.title = article.text.split("\n")[0]
        article.content = '<br/>'.join(article.text.split("\n")[1:])
    
--- a/app/main.py
+++ b/app/main.py
@ -12,8 +12,10 @@ import Yaml
 from user_service import userService
 from account_service import accountService
 from admin_service import adminService, ADMIN_NAME
+import os
+
 app = Flask(__name__)
-app.secret_key = 'lunch.time!'
+app.secret_key = os.urandom(32)

 # 将蓝图注册到Lab app
 app.register_blueprint(userService)
@ -54,6 +56,15 @@ def appears_in_test(word, d):
    else:
        return ','.join(d[word])

+@app.before_request
+def restrict_file_access():
+    '''
+    禁止直接访问/static下的数据库文件
+    '''
+    requested_path = request.path
+    normalized_path = os.path.normpath(requested_path)
+    if normalized_path.startswith('/static/') and normalized_path.endswith('wordfreqapp.db'):
+        return abort(403)

@app.route("/mark", methods=['GET', 'POST'])
 def mark_word():