[
https://issues.apache.org/jira/browse/AIRFLOW-2809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xiaodong DENG updated AIRFLOW-2809:
-----------------------------------
External issue URL: https://github.com/apache/incubator-airflow/pull/3651
Description:
h2. Background
Currently there is a configuration item *secret_key* in the configuration .cfg
file, with a default value "temporary_key".
h2. Issue
Most admins would ignore it and just use the default value "temporary_key".
However, this may be very dangerous. User may modify the cookie if they try the
default SECRET_KEY while the admin didn't change it.
In Flask documentation, it's suggested to have a SECRET_KEY which is as random
as possible ([http://flask.pocoo.org/docs/1.0/quickstart/] ).
h2. My Proposal
If Admin explicitly specified the SECRET_KEY in *.cfg* file, we use this
SECRET_KEY given by Admin.
If the default SECRET_KEY is not changed in *.cfg* file, randomly generate
SECRET_KEY. Meanwhile, print INFO to remind that a randomly generated
SECRET_KEY is used.
This solution will not affect user experience at all.
was:
h2. Background
Currently there is a configuration item *secret_key* in the configuration .cfg
file, with a default value "temporary_key".
h2. Issue
Most users would ignore it and just use the default value "temporary_key".
However, this may be very dangerous. User may modify the cookie if they try the
default SECRET_KEY while the admin didn't change it.
In Flask documentation, it's suggested to have a SECRET_KEY which is as random
as possible ([http://flask.pocoo.org/docs/1.0/quickstart/] ).
h2. My Proposal
If Admin explicitly specified the SECRET_KEY in *.cfg* file, we use this
SECRET_KEY given by Admin.
If the default SECRET_KEY is not changed in *.cfg* file, randomly generate
SECRET_KEY. Meanwhile, print INFO to remind that a randomly generated
SECRET_KEY is used.
This solution will not affect user experience at all.
> Security Issue Regarding Flask SECRET_KEY
> -----------------------------------------
>
> Key: AIRFLOW-2809
> URL: https://issues.apache.org/jira/browse/AIRFLOW-2809
> Project: Apache Airflow
> Issue Type: Improvement
> Components: webserver
> Reporter: Xiaodong DENG
> Assignee: Xiaodong DENG
> Priority: Major
>
> h2. Background
> Currently there is a configuration item *secret_key* in the configuration
> .cfg file, with a default value "temporary_key".
> h2. Issue
> Most admins would ignore it and just use the default value "temporary_key".
> However, this may be very dangerous. User may modify the cookie if they try
> the default SECRET_KEY while the admin didn't change it.
> In Flask documentation, it's suggested to have a SECRET_KEY which is as
> random as possible ([http://flask.pocoo.org/docs/1.0/quickstart/] ).
> h2. My Proposal
> If Admin explicitly specified the SECRET_KEY in *.cfg* file, we use this
> SECRET_KEY given by Admin.
> If the default SECRET_KEY is not changed in *.cfg* file, randomly generate
> SECRET_KEY. Meanwhile, print INFO to remind that a randomly generated
> SECRET_KEY is used.
> This solution will not affect user experience at all.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
