Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Hole: flask_apscheduler.APScheduler.init_app() always adds Jobs UI #6

Closed
adroffner opened this issue Sep 9, 2015 · 2 comments
Closed

Security Hole: flask_apscheduler.APScheduler.init_app() always adds Jobs UI #6

adroffner opened this issue Sep 9, 2015 · 2 comments

Comments

@adroffner
Copy link

The Jobs UI allows anyone to see the jobs list & run a job ID. There is no authentication scheme to protect the job control. This is a major security hole.

The real problem is APScheduler.init_app() always adds Jobs UI endpoints. Please, add a flag to the constructor & init_app methods so that the Job UI can be left out of the Flask routes (I recommend this as the default).

NOTE:
For now, I am overriding the method to ignore __load_views() so that it doesn't make the routes.
@viniciuschiele
Copy link
Owner

@adroffner

Definitely that is a good idea, I will add a new flag in the flask config object to enable the views, the default will be False.

e.g:

app.config['APSCHEDULER_VIEWS'] = True

I will try to release a new version today.

Cheers!

@viniciuschiele
Copy link
Owner

I have added a new flag called SCHEDULER_VIEWS_ENABLED to enable/disable the views, by default it is False.

app.config['SCHEDULER_VIEWS_ENABLED'] = True

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@viniciuschiele @adroffner