stackoom
  简体   繁体   中英

How safe is a solution of writing/reading secret file from within Django app?

 原文  2016-05-06 03:31:31       python/ django/ multithreading/ security

Question

How vulnerable from security POV is the following solution of having random secret key stored on server filesystem? 

import os
import random
import string
import time

def secret_key_gen(path, max_age=86400):
    """
    Try to load the SECRET_KEY from SECRET_FILE. 
    If that fails, then generate random SECRET_KEY 
    and save it into our SECRET_FILE for future loading. 
    If everything fails, then just raise an exception.

    Given the app is running by a user with with sufficient rights 
    to write into app directory, key file will be auto-generated 
    the first time it's been looked for. 
    """

    SECRET_FILE = os.path.join(path, 'SECURITY_HASH')
    try:       
        last_modified = os.stat(SECRET_FILE).st_mtime
        lifespan = (time.time() - last_modified)

        # update key if file age is older than allowed
        if lifespan > max_age: 
            raise IOError

        SECRET_KEY = open(SECRET_FILE).read().strip()
    except (OSError, IOError):
        try:
            l = lambda _: random.SystemRandom().choice(string.printable)
            SECRET_KEY = ''.join(map(l, range(32)))
            with open(SECRET_FILE, 'w') as f:
                f.write(SECRET_KEY)
        except IOError:
            raise Exception('Cannot open file `%s` for writing.' % SECRET_FILE)
    return SECRET_KEY

# usage
SECURITY_HASH = secret_key_gen(
    path=os.path.dirname(__file__),
    max_age=60 * 60 * 24)

Server environment is linux, running multithreaded apache server.

Credit for snippet: https://www.rdegges.com/2011/the-perfect-django-settings-file/

1 answers

solution1
 1  2016-05-06 04:02:17

You might keep in mind that changing the SECRET_KEY setting via that max_age variable might have some consequences that impact your app. This SO question discusses some of the ways that the SECRET_KEY is used with Django.

Effects of changing Django's SECRET_KEY

You might check to make sure that you are not using your app in such a way that changing that setting would impact you.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is that way of writing/reading a solution safe? How to escape SECRET_KEY in Django from environment file when generated SECRET_KEY begins with '$'? Writing and Reading to/from a file in python Writing To and Reading From JSON File Is my reading/writing in pandas dataframe from differents threads is safe? Writing File and Reading from File in python Reading from a file and writing to another file Python - writing and reading from a temporary file data reading from text file and writing Issue reading / writing specific lines within a log file in Python
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM