PuppetBoard: Upgrading WTForms to latest version and restoring CSRF Protection (#250)
Upgrading the following packages to the respected versions: WTForms==2.1 Flask-WTF==0.12 Werkzeug==0.11.0 Passing newly required metadata to the QueryForm constructor in puppetboard/app.py Apache >= 2.4 with mod_wsgi experienced a major issue where it would re-generate the app's secret key on each request. The fix for this turned out to be placing a permanent statis 'secret_key' value in the wsgi.py. Adding a block in README.rst on how to implement the user's own secret_key
This commit is contained in:
Corey Hammerton
18
README.rst
18
README.rst
@@ -287,6 +287,24 @@ puppetboard directory:
|
||||
|
||||
Make sure this file is readable by the user the webserver runs as.
|
||||
|
||||
Flask requires a static secret_key in order to protect itself from CSRF exploits.
|
||||
The default secret_key in ``default_settings.py`` generates a random 24 character
|
||||
string, however this string is re-generated on each request under httpd >= 2.4.
|
||||
To generate your own secret_key create a python script with the following content
|
||||
and run it once:
|
||||
|
||||
.. code_block:: python
|
||||
|
||||
import os
|
||||
|
||||
print os.random(24)
|
||||
|
||||
Copy the output and add the following to your ``wsgi.py`` file:
|
||||
|
||||
.. code_block:: python
|
||||
|
||||
application.secret_key = '<your secret key>'
|
||||
|
||||
The last thing we need to do is configure Apache.
|
||||
|
||||
Here is a sample configuration for Debian and Ubuntu:
|
||||
|
||||
Reference in New Issue
Block a user