From e3b98eaa6a26184ff666fe630457472344fe70bf Mon Sep 17 00:00:00 2001 From: zzlgreat Date: Mon, 15 Dec 2025 08:15:23 +0800 Subject: [PATCH] =?UTF-8?q?security:=20=E6=B7=BB=E5=8A=A0=20Redis=20?= =?UTF-8?q?=E5=AF=86=E7=A0=81=E8=AE=A4=E8=AF=81=EF=BC=8C=E4=BF=AE=E5=A4=8D?= =?UTF-8?q?=E5=AE=89=E5=85=A8=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 所有 Redis 连接添加密码参数 - 支持通过 REDIS_PASSWORD 环境变量配置密码 - 修复 Redis 未授权访问漏洞(被黑客利用设置为 slave) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- app.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/app.py b/app.py index a815b80f..38b31117 100755 --- a/app.py +++ b/app.py @@ -189,8 +189,9 @@ print("✅ ProxyFix 已配置,Flask 将信任反向代理头(X-Forwarded-Pro # ============ Redis 连接配置(支持环境变量覆盖) ============ _REDIS_HOST = os.environ.get('REDIS_HOST', 'localhost') _REDIS_PORT = int(os.environ.get('REDIS_PORT', 6379)) -redis_client = redis.Redis(host=_REDIS_HOST, port=_REDIS_PORT, db=0, decode_responses=True) -print(f"📦 Redis 配置: {_REDIS_HOST}:{_REDIS_PORT}/db=0") +_REDIS_PASSWORD = os.environ.get('REDIS_PASSWORD', 'VF_Redis_Secure_2024!') # Redis 密码(安全加固) +redis_client = redis.Redis(host=_REDIS_HOST, port=_REDIS_PORT, db=0, password=_REDIS_PASSWORD, decode_responses=True) +print(f"📦 Redis 配置: {_REDIS_HOST}:{_REDIS_PORT}/db=0 (已启用密码认证)") # ============ 验证码 Redis 存储(支持多进程/多 Worker) ============ VERIFICATION_CODE_PREFIX = "vf_code:" @@ -363,7 +364,7 @@ USE_REDIS_SESSION = os.environ.get('USE_REDIS_SESSION', 'true').lower() == 'true if USE_REDIS_SESSION: app.config['SESSION_TYPE'] = 'redis' - app.config['SESSION_REDIS'] = redis.Redis(host=_REDIS_HOST, port=_REDIS_PORT, db=1) # db=1 用于 session + app.config['SESSION_REDIS'] = redis.Redis(host=_REDIS_HOST, port=_REDIS_PORT, db=1, password=_REDIS_PASSWORD) # db=1 用于 session app.config['SESSION_PERMANENT'] = True app.config['SESSION_USE_SIGNER'] = True # 对 session cookie 签名,提高安全性 app.config['SESSION_KEY_PREFIX'] = 'vf_session:' # session key 前缀 @@ -517,7 +518,8 @@ print(f"📡 Flask-SocketIO async_mode: {_async_mode}") # Redis 消息队列 URL(支持多 Worker 之间的消息同步) # 使用 127.0.0.1 而非 localhost,避免 eventlet DNS 问题 -SOCKETIO_MESSAGE_QUEUE = os.environ.get('SOCKETIO_REDIS_URL', f'redis://{_REDIS_HOST}:{_REDIS_PORT}/2') +# 格式: redis://:password@host:port/db +SOCKETIO_MESSAGE_QUEUE = os.environ.get('SOCKETIO_REDIS_URL', f'redis://:{_REDIS_PASSWORD}@{_REDIS_HOST}:{_REDIS_PORT}/2') # 检测是否需要启用消息队列 # 默认启用(多 Worker 模式需要,单 Worker 模式也兼容)