Fix the way we handle the application context

The init script was pushing an application context, which maked flask.g global and persisted across requests. This was evaluated to have a minimal security impact. This explains/fixes Mailu#738: flask_wtf caches the csrf token in the application context to have a single token per request, and only sets the session attribute after the first generation.
kaiyou · Dec 13, 2018 · 087841d · 087841d
1 parent b5f51b0
commit 087841d
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 2 deletions.
diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
@@ -8,7 +8,6 @@ def create_app_from_config(config):
     """ Create a new application based on the given configuration
     """
     app = flask.Flask(__name__)
-    app.app_context().push()
     app.cli.add_command(manage.mailu)
 
     # Bootstrap is used for basic JS and CSS loading

diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
@@ -9,7 +9,7 @@
 
 @internal.route("/auth/email")
 @utils.limiter.limit(
-    app.config["AUTH_RATELIMIT"],
+    lambda: app.config["AUTH_RATELIMIT"],
     lambda: flask.request.headers["Client-Ip"]
 )
 def nginx_authentication():