You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/12/01 21:19:00 UTC

[jira] [Commented] (AIRFLOW-2809) Fix security issue regarding Flask SECRET_KEY

    [ https://issues.apache.org/jira/browse/AIRFLOW-2809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17241879#comment-17241879 ] 

ASF subversion and git services commented on AIRFLOW-2809:
----------------------------------------------------------

Commit 05f57b90ed76982de8953967e2cc8a5a5b03bf3b in airflow's branch refs/heads/v1-10-test from Xiaodong Deng
[ https://gitbox.apache.org/repos/asf?p=airflow.git;h=05f57b9 ]

[AIRFLOW-2809] Fix security issue regarding Flask SECRET_KEY

It's recommended by Falsk community to use random
SECRET_KEY for security reason.

However, in Airflow there is a default value for
secret_key and most users will ignore to change
it.

This may cause security concern.

Closes #3651 from XD-DENG/patch-2

(cherry picked from commit dfa7b26ddaca80ee8fd9915ee9f6eac50fac77f6)


> Fix security issue regarding Flask SECRET_KEY
> ---------------------------------------------
>
>                 Key: AIRFLOW-2809
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2809
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: webserver
>            Reporter: Xiaodong Deng
>            Assignee: Xiaodong Deng
>            Priority: Major
>             Fix For: 2.0.0
>
>
> h2. Background
> Currently there is a configuration item *secret_key* in the configuration .cfg file, with a default value "temporary_key".
> h2. Issue
> Most admins would ignore it and just use the default value "temporary_key". However, this may be very dangerous. User may modify the cookie if they try the default SECRET_KEY while the admin didn't change it.
> In Flask documentation, it's suggested to have a SECRET_KEY which is as random as possible ([http://flask.pocoo.org/docs/1.0/quickstart/] ). 
> h2. My Proposal
> If Admin explicitly specified the SECRET_KEY in *.cfg* file, we use this SECRET_KEY given by Admin.
> If the default SECRET_KEY is not changed in *.cfg* file, randomly generate SECRET_KEY. Meanwhile, print INFO to remind that a randomly generated SECRET_KEY is used.
> This solution will not affect user experience at all. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)