1
0
Fork 0

Fix: no-random secret key generation and XSS vulnerability

fix-vuln
徐宣 2023-06-18 19:44:19 +08:00
parent 708a6a2821
commit f01c334827
2 changed files with 13 additions and 1 deletions

View File

@ -56,6 +56,7 @@ def article():
_articles = get_page_articles(_cur_page, _page_size)
for article in _articles: # 获取每篇文章的title
article = escape(article)
article.title = article.text.split("\n")[0]
article.content = '<br/>'.join(article.text.split("\n")[1:])

View File

@ -12,8 +12,10 @@ import Yaml
from user_service import userService
from account_service import accountService
from admin_service import adminService, ADMIN_NAME
import os
app = Flask(__name__)
app.secret_key = 'lunch.time!'
app.secret_key = os.urandom(32)
# 将蓝图注册到Lab app
app.register_blueprint(userService)
@ -54,6 +56,15 @@ def appears_in_test(word, d):
else:
return ','.join(d[word])
@app.before_request
def restrict_file_access():
'''
禁止直接访问/static下的数据库文件
'''
requested_path = request.path
normalized_path = os.path.normpath(requested_path)
if normalized_path.startswith('/static/') and normalized_path.endswith('wordfreqapp.db'):
return abort(403)
@app.route("/mark", methods=['GET', 'POST'])
def mark_word():