From f01c3348277cb65d9ae5f8cb935590702db6259b Mon Sep 17 00:00:00 2001
From: "1683793776@qq.com" <1683793776@qq.com>
Date: Sun, 18 Jun 2023 19:44:19 +0800
Subject: [PATCH 1/3] Fix: no-random secret key generation and XSS
vulnerability
---
app/admin_service.py | 1 +
app/main.py | 13 ++++++++++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/app/admin_service.py b/app/admin_service.py
index a604b5e..5ca93c2 100644
--- a/app/admin_service.py
+++ b/app/admin_service.py
@@ -56,6 +56,7 @@ def article():
_articles = get_page_articles(_cur_page, _page_size)
for article in _articles: # 获取每篇文章的title
+ article = escape(article)
article.title = article.text.split("\n")[0]
article.content = '
'.join(article.text.split("\n")[1:])
diff --git a/app/main.py b/app/main.py
index 4e3f829..b181561 100644
--- a/app/main.py
+++ b/app/main.py
@@ -12,8 +12,10 @@ import Yaml
from user_service import userService
from account_service import accountService
from admin_service import adminService, ADMIN_NAME
+import os
+
app = Flask(__name__)
-app.secret_key = 'lunch.time!'
+app.secret_key = os.urandom(32)
# 将蓝图注册到Lab app
app.register_blueprint(userService)
@@ -54,6 +56,15 @@ def appears_in_test(word, d):
else:
return ','.join(d[word])
+@app.before_request
+def restrict_file_access():
+ '''
+ 禁止直接访问/static下的数据库文件
+ '''
+ requested_path = request.path
+ normalized_path = os.path.normpath(requested_path)
+ if normalized_path.startswith('/static/') and normalized_path.endswith('wordfreqapp.db'):
+ return abort(403)
@app.route("/mark", methods=['GET', 'POST'])
def mark_word():
From 2277473afe951c2061c8e503e6f807c4969ddcb8 Mon Sep 17 00:00:00 2001
From: "1683793776@qq.com" <1683793776@qq.com>
Date: Sun, 18 Jun 2023 19:49:33 +0800
Subject: [PATCH 2/3] Fix: Add import for 'abort' function
---
app/main.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/app/main.py b/app/main.py
index b181561..1b71226 100644
--- a/app/main.py
+++ b/app/main.py
@@ -5,7 +5,7 @@
# Copyright 2019 (C) Hui Lan
# Written permission must be obtained from the author for commercial uses.
###########################################################################
-from flask import escape
+from flask import escape, abort
from Login import *
from Article import *
import Yaml
From f40a38827735b37cda10f48ba328b495cfb3b77d Mon Sep 17 00:00:00 2001
From: "1683793776@qq.com" <1683793776@qq.com>
Date: Mon, 19 Jun 2023 14:48:35 +0800
Subject: [PATCH 3/3] Fix: Move wordfreqapp.db to new location
---
.gitignore | 2 +-
Jenkinsfile | 4 ++--
README.md | 6 +++---
app/Article.py | 4 ++--
app/main.py | 10 ----------
app/model/__init__.py | 2 +-
6 files changed, 9 insertions(+), 19 deletions(-)
diff --git a/.gitignore b/.gitignore
index 3d901ba..f58d558 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,7 +7,7 @@ app/static/usr/*.jpg
app/static/img/
app/static/frequency/frequency_*.pickle
app/static/frequency/frequency.p
-app/static/wordfreqapp.db
+app/wordfreqapp.db
app/static/donate-the-author.jpg
app/static/donate-the-author-hidden.jpg
app/model/__pycache__/
\ No newline at end of file
diff --git a/Jenkinsfile b/Jenkinsfile
index 2633859..c3772cc 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -10,8 +10,8 @@ pipeline {
stages {
stage('MakeDatabasefile') {
steps {
- sh 'touch ./app/static/wordfreqapp.db && rm -f ./app/static/wordfreqapp.db'
- sh 'cat ./app/static/wordfreqapp.sql | sqlite3 ./app/static/wordfreqapp.db'
+ sh 'touch ./app/wordfreqapp.db && rm -f ./app/wordfreqapp.db'
+ sh 'cat ./app/static/wordfreqapp.sql | sqlite3 ./app/wordfreqapp.db'
}
}
stage('BuildIt') {
diff --git a/README.md b/README.md
index 14cc9aa..a1a22d4 100644
--- a/README.md
+++ b/README.md
@@ -61,15 +61,15 @@ My steps for deploying English on a Ubuntu server.
All articles are stored in the `article` table in a SQLite file called
-`app/static/wordfreqapp.db`.
+`app/wordfreqapp.db`.
### Adding new articles
-To add articles, open and edit `app/static/wordfreqapp.db` using DB Browser for SQLite (https://sqlitebrowser.org).
+To add articles, open and edit `app/wordfreqapp.db` using DB Browser for SQLite (https://sqlitebrowser.org).
### Extending an account's expiry date
-By default, an account's expiry is 30 days after first sign-up. To extend account's expiry date, open and edit `user` table in `app/static/wordfreqapp.db`. Simply update field `expiry_date`.
+By default, an account's expiry is 30 days after first sign-up. To extend account's expiry date, open and edit `user` table in `app/wordfreqapp.db`. Simply update field `expiry_date`.
### Exporting the database
diff --git a/app/Article.py b/app/Article.py
index df9ac3a..4b7632f 100644
--- a/app/Article.py
+++ b/app/Article.py
@@ -15,7 +15,7 @@ path_prefix = './' # comment this line in deployment
def total_number_of_essays():
- rq = RecordQuery(path_prefix + 'static/wordfreqapp.db')
+ rq = RecordQuery(path_prefix + 'wordfreqapp.db')
rq.instructions("SELECT * FROM article")
rq.do()
result = rq.get_results()
@@ -33,7 +33,7 @@ def get_article_body(s):
def get_today_article(user_word_list, visited_articles):
- rq = RecordQuery(path_prefix + 'static/wordfreqapp.db')
+ rq = RecordQuery(path_prefix + 'wordfreqapp.db')
if visited_articles is None:
visited_articles = {
"index" : 0, # 为 article_ids 的索引
diff --git a/app/main.py b/app/main.py
index 1b71226..5d5f7cc 100644
--- a/app/main.py
+++ b/app/main.py
@@ -56,16 +56,6 @@ def appears_in_test(word, d):
else:
return ','.join(d[word])
-@app.before_request
-def restrict_file_access():
- '''
- 禁止直接访问/static下的数据库文件
- '''
- requested_path = request.path
- normalized_path = os.path.normpath(requested_path)
- if normalized_path.startswith('/static/') and normalized_path.endswith('wordfreqapp.db'):
- return abort(403)
-
@app.route("/mark", methods=['GET', 'POST'])
def mark_word():
'''
diff --git a/app/model/__init__.py b/app/model/__init__.py
index 9526313..a360d0c 100644
--- a/app/model/__init__.py
+++ b/app/model/__init__.py
@@ -1,7 +1,7 @@
from pony.orm import *
db = Database()
-db.bind("sqlite", "../static/wordfreqapp.db", create_db=True) # bind sqlite file
+db.bind("sqlite", "../wordfreqapp.db", create_db=True) # bind sqlite file
class User(db.Entity):