This is an automated email from the ASF dual-hosted git repository. ash pushed a commit to branch v1-10-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 05f57b90ed76982de8953967e2cc8a5a5b03bf3b Author: XD-DENG <[email protected]> AuthorDate: Sun Jul 29 11:57:46 2018 +0200 [AIRFLOW-2809] Fix security issue regarding Flask SECRET_KEY It's recommended by Falsk community to use random SECRET_KEY for security reason. However, in Airflow there is a default value for secret_key and most users will ignore to change it. This may cause security concern. Closes #3651 from XD-DENG/patch-2 (cherry picked from commit dfa7b26ddaca80ee8fd9915ee9f6eac50fac77f6) --- airflow/www/app.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/airflow/www/app.py b/airflow/www/app.py index 58e82b9..2d463a2 100644 --- a/airflow/www/app.py +++ b/airflow/www/app.py @@ -19,6 +19,7 @@ # import datetime import logging +import os from typing import Any import flask @@ -49,6 +50,7 @@ log = logging.getLogger(__name__) def create_app(config=None, testing=False): + app = Flask(__name__) if conf.getboolean('webserver', 'ENABLE_PROXY_FIX'): app.wsgi_app = ProxyFix( @@ -64,6 +66,12 @@ def create_app(config=None, testing=False): app.config['LOGIN_DISABLED'] = not conf.getboolean( 'webserver', 'AUTHENTICATE') + if configuration.conf.get('webserver', 'SECRET_KEY') == "temporary_key": + log.info("SECRET_KEY for Flask App is not specified. Using a random one.") + app.secret_key = os.urandom(16) + else: + app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY') + app.config['SESSION_COOKIE_HTTPONLY'] = True app.config['SESSION_COOKIE_SECURE'] = conf.getboolean('webserver', 'COOKIE_SECURE') app.config['SESSION_COOKIE_SAMESITE'] = conf.get('webserver', 'COOKIE_SAMESITE')
