From c5236c6fc4916343760174306d72c4c0a6a41287 Mon Sep 17 00:00:00 2001 From: iou1name Date: Tue, 5 Jun 2018 17:19:59 -0400 Subject: [PATCH] added Flask-paranoid module to secure cookies better --- README.md | 2 +- fileHost.py | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f48daf2..a2dd7d5 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,6 @@ Note: I switched to Gunicorn at some point because Bjoern was somehow annoying. Dependencies: -```passlib argon2_cffi flask gunicorn``` +```passlib argon2_cffi flask gunicorn flask-paranoid``` This application makes use of the `secrets` module (a cryptographically strong version of `random`) from the standard library, which is only available in Python 3.6+. If you really can't be bothered use the latest version of python3, or just don't want cryptographically strong random character filenames/prefixes for some reason, you can directly replace all instances of `secrets` with `random`. diff --git a/fileHost.py b/fileHost.py index f03fdb0..7a231a5 100755 --- a/fileHost.py +++ b/fileHost.py @@ -14,6 +14,7 @@ from passlib.hash import argon2 from flask import Flask, session, request, abort, redirect, url_for, g, \ render_template from werkzeug.utils import secure_filename +from flask_paranoid import Paranoid class ReverseProxied(object): """ @@ -74,7 +75,6 @@ app.config["UPLOAD_URL"] = "https://steelbea.me/up/" app.config["DB_NAME"] = "fileHost.db" app.config["DB_LOCK"] = threading.Lock() - def db_execute(*args, **kwargs): """ Opens a connection to the app's database and executes the SQL statements @@ -88,7 +88,6 @@ def db_execute(*args, **kwargs): return res - def init(): """ Initializes the application. @@ -114,7 +113,8 @@ def init(): "id INTEGER PRIMARY KEY," "username TEXT," "pw_hash TEXT," - "admin BOOL DEFAULT FALSE)") + "admin BOOL DEFAULT FALSE," + "token)") db_execute("CREATE TABLE uploads(" "filename TEXT," @@ -127,6 +127,10 @@ def init(): t.start() app.config["CRON_THREAD"] = t + # init paranoid + app.config["paranoid"] = Paranoid(app) + app.config["paranoid"].redirect_view = 'login' + def add_user(username, password, admin="FALSE"): """