From f01c3348277cb65d9ae5f8cb935590702db6259b Mon Sep 17 00:00:00 2001 From: "1683793776@qq.com" <1683793776@qq.com> Date: Sun, 18 Jun 2023 19:44:19 +0800 Subject: [PATCH] Fix: no-random secret key generation and XSS vulnerability --- app/admin_service.py | 1 + app/main.py | 13 ++++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/app/admin_service.py b/app/admin_service.py index a604b5e..5ca93c2 100644 --- a/app/admin_service.py +++ b/app/admin_service.py @@ -56,6 +56,7 @@ def article(): _articles = get_page_articles(_cur_page, _page_size) for article in _articles: # 获取每篇文章的title + article = escape(article) article.title = article.text.split("\n")[0] article.content = '
'.join(article.text.split("\n")[1:]) diff --git a/app/main.py b/app/main.py index 4e3f829..b181561 100644 --- a/app/main.py +++ b/app/main.py @@ -12,8 +12,10 @@ import Yaml from user_service import userService from account_service import accountService from admin_service import adminService, ADMIN_NAME +import os + app = Flask(__name__) -app.secret_key = 'lunch.time!' +app.secret_key = os.urandom(32) # 将蓝图注册到Lab app app.register_blueprint(userService) @@ -54,6 +56,15 @@ def appears_in_test(word, d): else: return ','.join(d[word]) +@app.before_request +def restrict_file_access(): + ''' + 禁止直接访问/static下的数据库文件 + ''' + requested_path = request.path + normalized_path = os.path.normpath(requested_path) + if normalized_path.startswith('/static/') and normalized_path.endswith('wordfreqapp.db'): + return abort(403) @app.route("/mark", methods=['GET', 'POST']) def mark_word():