From 523aab2e9e2f8eb712e57ba627f21a9c83720f98 Mon Sep 17 00:00:00 2001
From: jvoisin <julien.voisin@dustri.org>
Date: Wed, 29 Apr 2020 13:58:16 +0200
Subject: [PATCH] Don't use an hardcoded session key

This fixes a trivial authentication bypass,
according to https://flask.palletsprojects.com/en/1.1.x/quickstart/#sessions
---
 cps/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cps/__init__.py b/cps/__init__.py
index 15820b86..9d7f8a9b 100755
--- a/cps/__init__.py
+++ b/cps/__init__.py
@@ -89,7 +89,7 @@ def create_app():
     log.info('Starting Calibre Web...')
     Principal(app)
     lm.init_app(app)
-    app.secret_key = os.getenv('SECRET_KEY', 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT')
+    app.secret_key = os.getenv('SECRET_KEY', os.urandom(32))
 
     web_server.init_app(app, config)
     db.setup_db(config)