some fixes for release

a6cb3c78 · Benjamin "Ziirish" SANS · cf1b584e · a6cb3c78 · a6cb3c78 · a6cb3c78
Commit a6cb3c78 authored May 17, 2016 by Benjamin "Ziirish" SANS
6 changed files
--- a/burpui/__init__.py
+++ b/burpui/__init__.py
@@ -217,10 +217,12 @@ def init(conf=None, verbose=0, logfile=None, gunicorn=True, unittest=False, debu
    app.setup(app.config['CFG'])

    # manage application secret key
-    if not app.secret_key or app.secret_key == 'random':
+    if not app.secret_key or app.secret_key.lower() == 'random' and \
+            not gunicorn:
        from base64 import b64encode
        app.secret_key = b64encode(os.urandom(256))
-    elif app.secret_key == 'none':
+    elif app.secret_key.lower() == 'none' or \
+            (app.secret_key.lower() == 'random' and gunicorn):
        app.secret_key = None

    app.wsgi_app = ReverseProxied(app.wsgi_app, app)

--- a/burpui/server.py
+++ b/burpui/server.py
@@ -127,7 +127,7 @@ class BUIServer(Flask):
                self.sslkey = self._safe_config_get(config.get, 'sslkey')
                self.prefix = self._safe_config_get(config.get, 'prefix')
                if self.prefix and not self.prefix.startswith('/'):
-                    if self.prefix.lower != 'none':
+                    if self.prefix.lower() != 'none':
                        self.logger.warning("'prefix' must start with a '/'!")
                    self.prefix = ''
                self.auth = self._safe_config_get(config.get, 'auth')

--- a/docker/docker-burpui/assets/config/burp-ui/burpui.cfg
+++ b/docker/docker-burpui/assets/config/burp-ui/burpui.cfg
@@ -64,7 +64,8 @@ scookie: true
 # application secret to secure cookies. If you don't set anything, the default
 # value is 'random' which will generate a new secret after every restart of your
 # application. You can also set it to 'none' although this is not recommended.
-appsecret: random
+# /!\ YOU CANNOT USE THE MAGIC 'random' VALUE WHEN USING GUNICORN /!\
+appsecret: @RANDOM@

 ## burp1 backend specific options
 #[Burp1]

--- a/docker/docker-burpui/assets/setup/install
+++ b/docker/docker-burpui/assets/setup/install
@@ -66,6 +66,8 @@ cp ${CONFIG_DIR}/gunicorn.d/burp-ui /etc/gunicorn.d/burp-ui

 mkdir -p /etc/burp
 cp ${CONFIG_DIR}/burp-ui/burpui.cfg /etc/burp/burpui.cfg
+rand=$(dd if=/dev/urandom bs=256 count=1 2>/dev/null | base64 | sed ':a;N;$!ba;s/\n//g')
+sed -i "s/@RANDOM@/$rand/" /etc/burp/burpui.cfg

 # patch demo with piwik
 REP=$(cat ${CONFIG_DIR}/patch/piwik.patch)

--- a/docs/gunicorn.rst
+++ b/docs/gunicorn.rst
@@ -28,6 +28,12 @@ play with:
 - debug: Whether to run `Burp-UI`_ in debug mode or not to get some extra logging
 - logfile: Path to a logfile in order to log `Burp-UI`_ internal messages

+.. warning:: You need **MUST** set the *appsecret* option in your configuration
+             file when using gunicorn.
+             The default *magic* value 'random' cannot be used. If you
+             don't change the settings the default value will be 'none' and your
+             cookies won't be secured.
+
 Daemon
 ------


--- a/share/burpui/etc/burpui.sample.cfg
+++ b/share/burpui/etc/burpui.sample.cfg
@@ -65,6 +65,7 @@ scookie: false
 # application secret to secure cookies. If you don't set anything, the default
 # value is 'random' which will generate a new secret after every restart of your
 # application. You can also set it to 'none' although this is not recommended.
+# /!\ YOU CANNOT USE THE MAGIC 'random' VALUE WHEN USING GUNICORN /!\
 appsecret: random

 [Experimental]