Commit a6cb3c78 authored by Ziirish's avatar Ziirish

some fixes for release

parent cf1b584e
Pipeline #594 failed with stages
......@@ -217,10 +217,12 @@ def init(conf=None, verbose=0, logfile=None, gunicorn=True, unittest=False, debu
app.setup(app.config['CFG'])
# manage application secret key
if not app.secret_key or app.secret_key == 'random':
if not app.secret_key or app.secret_key.lower() == 'random' and \
not gunicorn:
from base64 import b64encode
app.secret_key = b64encode(os.urandom(256))
elif app.secret_key == 'none':
elif app.secret_key.lower() == 'none' or \
(app.secret_key.lower() == 'random' and gunicorn):
app.secret_key = None
app.wsgi_app = ReverseProxied(app.wsgi_app, app)
......
......@@ -127,7 +127,7 @@ class BUIServer(Flask):
self.sslkey = self._safe_config_get(config.get, 'sslkey')
self.prefix = self._safe_config_get(config.get, 'prefix')
if self.prefix and not self.prefix.startswith('/'):
if self.prefix.lower != 'none':
if self.prefix.lower() != 'none':
self.logger.warning("'prefix' must start with a '/'!")
self.prefix = ''
self.auth = self._safe_config_get(config.get, 'auth')
......
......@@ -64,7 +64,8 @@ scookie: true
# application secret to secure cookies. If you don't set anything, the default
# value is 'random' which will generate a new secret after every restart of your
# application. You can also set it to 'none' although this is not recommended.
appsecret: random
# /!\ YOU CANNOT USE THE MAGIC 'random' VALUE WHEN USING GUNICORN /!\
appsecret: @RANDOM@
## burp1 backend specific options
#[Burp1]
......
......@@ -66,6 +66,8 @@ cp ${CONFIG_DIR}/gunicorn.d/burp-ui /etc/gunicorn.d/burp-ui
mkdir -p /etc/burp
cp ${CONFIG_DIR}/burp-ui/burpui.cfg /etc/burp/burpui.cfg
rand=$(dd if=/dev/urandom bs=256 count=1 2>/dev/null | base64 | sed ':a;N;$!ba;s/\n//g')
sed -i "s/@RANDOM@/$rand/" /etc/burp/burpui.cfg
# patch demo with piwik
REP=$(cat ${CONFIG_DIR}/patch/piwik.patch)
......
......@@ -28,6 +28,12 @@ play with:
- debug: Whether to run `Burp-UI`_ in debug mode or not to get some extra logging
- logfile: Path to a logfile in order to log `Burp-UI`_ internal messages
.. warning:: You need **MUST** set the *appsecret* option in your configuration
file when using gunicorn.
The default *magic* value 'random' cannot be used. If you
don't change the settings the default value will be 'none' and your
cookies won't be secured.
Daemon
------
......
......@@ -65,6 +65,7 @@ scookie: false
# application secret to secure cookies. If you don't set anything, the default
# value is 'random' which will generate a new secret after every restart of your
# application. You can also set it to 'none' although this is not recommended.
# /!\ YOU CANNOT USE THE MAGIC 'random' VALUE WHEN USING GUNICORN /!\
appsecret: random
[Experimental]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment