From 087841d5b705942cc50d9fabf3e91e8530501d65 Mon Sep 17 00:00:00 2001 From: kaiyou Date: Thu, 13 Dec 2018 14:23:17 +0100 Subject: [PATCH] Fix the way we handle the application context The init script was pushing an application context, which maked flask.g global and persisted across requests. This was evaluated to have a minimal security impact. This explains/fixes #738: flask_wtf caches the csrf token in the application context to have a single token per request, and only sets the session attribute after the first generation. --- core/admin/mailu/__init__.py | 1 - core/admin/mailu/internal/views/auth.py | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py index 6b245c3b..4de3e580 100644 --- a/core/admin/mailu/__init__.py +++ b/core/admin/mailu/__init__.py @@ -8,7 +8,6 @@ def create_app_from_config(config): """ Create a new application based on the given configuration """ app = flask.Flask(__name__) - app.app_context().push() app.cli.add_command(manage.mailu) # Bootstrap is used for basic JS and CSS loading diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py index 459a8e57..83a63953 100644 --- a/core/admin/mailu/internal/views/auth.py +++ b/core/admin/mailu/internal/views/auth.py @@ -9,7 +9,7 @@ import base64 @internal.route("/auth/email") @utils.limiter.limit( - app.config["AUTH_RATELIMIT"], + lambda: app.config["AUTH_RATELIMIT"], lambda: flask.request.headers["Client-Ip"] ) def nginx_authentication():