From 58a08a1d7326b9ef744c0f41b9e8c5505dd3d924 Mon Sep 17 00:00:00 2001 From: Kevin Kirsche Date: Tue, 12 Oct 2021 09:00:50 -0400 Subject: [PATCH] use secrets instead of os.urandom --- docs/config.rst | 8 ++++---- docs/quickstart.rst | 4 ++-- docs/tutorial/deploy.rst | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/config.rst b/docs/config.rst index 768cf60d..2f387b46 100644 --- a/docs/config.rst +++ b/docs/config.rst @@ -38,7 +38,7 @@ method:: app.config.update( TESTING=True, - SECRET_KEY=b'_5#y2L"F4Q8z\n\xec]/' + SECRET_KEY='192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf' ) @@ -180,8 +180,8 @@ The following configuration values are used internally by Flask: application. It should be a long random ``bytes`` or ``str``. For example, copy the output of this to your config:: - $ python -c 'import os; print(os.urandom(16))' - b'_5#y2L"F4Q8z\n\xec]/' + $ python -c 'import secrets; print(secrets.token_hex()))' + '192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf' **Do not reveal the secret key when posting questions or committing code.** @@ -468,7 +468,7 @@ sure to use uppercase letters for your config keys. Here is an example of a configuration file:: # Example configuration - SECRET_KEY = b'_5#y2L"F4Q8z\n\xec]/' + SECRET_KEY = '192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf' Make sure to load the configuration very early on, so that extensions have the ability to access the configuration when starting up. There are other diff --git a/docs/quickstart.rst b/docs/quickstart.rst index 179c4103..9bddbfc0 100644 --- a/docs/quickstart.rst +++ b/docs/quickstart.rst @@ -847,8 +847,8 @@ sessions work:: generator. Use the following command to quickly generate a value for :attr:`Flask.secret_key` (or :data:`SECRET_KEY`):: - $ python -c 'import os; print(os.urandom(16))' - b'_5#y2L"F4Q8z\n\xec]/' + $ python -c 'import secrets; print(secrets.token_hex())' + '192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf' A note on cookie-based sessions: Flask will take the values you put into the session object and serialize them into a cookie. If you are finding some diff --git a/docs/tutorial/deploy.rst b/docs/tutorial/deploy.rst index d954b5e7..19aa87fc 100644 --- a/docs/tutorial/deploy.rst +++ b/docs/tutorial/deploy.rst @@ -88,9 +88,9 @@ You can use the following command to output a random secret key: .. code-block:: none - $ python -c 'import os; print(os.urandom(16))' + $ python -c 'import secrets; print(secrets.token_hex())' - b'_5#y2L"F4Q8z\n\xec]/' + '192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf' Create the ``config.py`` file in the instance folder, which the factory will read from if it exists. Copy the generated value into it. @@ -98,7 +98,7 @@ will read from if it exists. Copy the generated value into it. .. code-block:: python :caption: ``venv/var/flaskr-instance/config.py`` - SECRET_KEY = b'_5#y2L"F4Q8z\n\xec]/' + SECRET_KEY = '192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf' You can also set any other necessary configuration here, although ``SECRET_KEY`` is the only one needed for Flaskr.