Fix the way we handle the application context

The init script was pushing an application context, which maked flask.g global and persisted across requests. This was evaluated to have a minimal security impact. This explains/fixes #738: flask_wtf caches the csrf token in the application context to have a single token per request, and only sets the session attribute after the first generation.
7 years ago · 087841d5b7
parent b5f51b0e2e
commit 087841d5b7
2 changed files with 1 additions and 2 deletions
--- a/core/admin/mailu/init.py
+++ b/core/admin/mailu/init.py
@ -8,7 +8,6 @@ def create_app_from_config(config):
    """ Create a new application based on the given configuration
    """
    app = flask.Flask(__name__)
-    app.app_context().push()
    app.cli.add_command(manage.mailu)

    # Bootstrap is used for basic JS and CSS loading
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@ -9,7 +9,7 @@ import base64

@internal.route("/auth/email")
@utils.limiter.limit(
-    app.config["AUTH_RATELIMIT"],
+    lambda: app.config["AUTH_RATELIMIT"],
    lambda: flask.request.headers["Client-Ip"]
 )
 def nginx_authentication():