mirror of
https://github.com/zoriya/flood.git
synced 2025-12-06 07:16:18 +00:00
config: deal with "secret" security hazard
If you provide a default, people WILL use it. It is a security hazard if people use the default private psk to sign auth messages. Flood usuaully has privileges to files. A potential intruder may download files inside Flood and that will lead to arbitrary remote code execution, not to mention rTorrent's rich and powerful script interface. This change makes sure there is NO default and build shall NOT pass before user provides a secret. Bug: Flood-UI/flood#589
This commit is contained in:
Jesse Chan
2
.github/workflows/build.yml
vendored
2
.github/workflows/build.yml
vendored
@@ -25,3 +25,5 @@ jobs:
|
||||
- run: cp config.template.js config.js
|
||||
- run: npm install
|
||||
- run: npm run build
|
||||
env:
|
||||
FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }}
|
||||
|
||||
Reference in New Issue
Block a user