- The pylons_* paster template used the same string

  (``your_app_secret_string``) for the ``session.secret`` setting in the
  generated ``development.ini``.  This was a security risk if left unchanged
  in a project that used one of the templates to produce production
  applications.  It now uses a randomly generated string.

5 files changed, 22 insertions, 11 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 307a34f58..4354f5c7c 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -15,6 +15,12 @@ Bug Fixes
   syntax as the pattern supplied to ``add_route``.  This style of routing is
   not supported.  They were replaced with ``:colon`` style route patterns.
 
+- The pylons_* paster template used the same string
+  (``your_app_secret_string``) for the ``session.secret`` setting in the
+  generated ``development.ini``.  This was a security risk if left unchanged
+  in a project that used one of the templates to produce production
+  applications.  It now uses a randomly generated string.
+
 Documentation
 -------------
 
diff --git a/pyramid/paster.py b/pyramid/paster.py
index 21dcccf9e..0b8c21d4e 100644
--- a/pyramid/paster.py
+++ b/pyramid/paster.py
@@ -9,42 +9,47 @@ from paste.util.template import paste_script_template_renderer
 
 from pyramid.scripting import get_root
 
-class StarterProjectTemplate(Template):
+class PyramidTemplate(Template):
+    def pre(self, command, output_dir, vars): # pragma: no cover
+        vars['random_string'] = os.urandom(20).encode('hex')
+        return Template.pre(self, command, output_dir, vars)
+
+class StarterProjectTemplate(PyramidTemplate):
     _template_dir = 'paster_templates/starter'
     summary = 'pyramid starter project'
     template_renderer = staticmethod(paste_script_template_renderer)
 
-class StarterZCMLProjectTemplate(Template):
+class StarterZCMLProjectTemplate(PyramidTemplate):
     _template_dir = 'paster_templates/starter_zcml'
     summary = 'pyramid starter project (ZCML)'
     template_renderer = staticmethod(paste_script_template_renderer)
 
-class ZODBProjectTemplate(Template):
+class ZODBProjectTemplate(PyramidTemplate):
     _template_dir = 'paster_templates/zodb'
     summary = 'pyramid ZODB starter project'
     template_renderer = staticmethod(paste_script_template_renderer)
 
-class RoutesAlchemyProjectTemplate(Template):
+class RoutesAlchemyProjectTemplate(PyramidTemplate):
     _template_dir = 'paster_templates/routesalchemy'
     summary = 'pyramid SQLAlchemy project using Routes (no traversal)'
     template_renderer = staticmethod(paste_script_template_renderer)
 
-class AlchemyProjectTemplate(Template):
+class AlchemyProjectTemplate(PyramidTemplate):
     _template_dir = 'paster_templates/alchemy'
     summary = 'pyramid SQLAlchemy project using traversal'
     template_renderer = staticmethod(paste_script_template_renderer)
 
-class PylonsBasicProjectTemplate(Template):
+class PylonsBasicProjectTemplate(PyramidTemplate):
     _template_dir = 'paster_templates/pylons_basic'
     summary = 'Pylons basic project'
     template_renderer = staticmethod(paste_script_template_renderer)
 
-class PylonsMinimalProjectTemplate(Template):
+class PylonsMinimalProjectTemplate(PyramidTemplate):
     _template_dir = 'paster_templates/pylons_minimal'
     summary = 'Pylons minimal project'
     template_renderer = staticmethod(paste_script_template_renderer)
 
-class PylonsSQLAlchemyProjectTemplate(Template):
+class PylonsSQLAlchemyProjectTemplate(PyramidTemplate):
     _template_dir = 'paster_templates/pylons_sqla'
     summary = 'Pylons SQLAlchemy project'
     template_renderer = staticmethod(paste_script_template_renderer)
diff --git a/pyramid/paster_templates/pylons_basic/development.ini_tmpl b/pyramid/paster_templates/pylons_basic/development.ini_tmpl
index e147ba76d..569256739 100644
--- a/pyramid/paster_templates/pylons_basic/development.ini_tmpl
+++ b/pyramid/paster_templates/pylons_basic/development.ini_tmpl
@@ -10,7 +10,7 @@ session.type = file
 session.data_dir = %(here)s/data/sessions/data
 session.lock_dir = %(here)s/data/sessions/lock
 session.key = {{project}}
-session.secret = your_app_secret_string
+session.secret = {{random_string}}
 
 [pipeline:main]
 pipeline = egg:WebError#evalerror
diff --git a/pyramid/paster_templates/pylons_minimal/development.ini_tmpl b/pyramid/paster_templates/pylons_minimal/development.ini_tmpl
index e147ba76d..569256739 100644
--- a/pyramid/paster_templates/pylons_minimal/development.ini_tmpl
+++ b/pyramid/paster_templates/pylons_minimal/development.ini_tmpl
@@ -10,7 +10,7 @@ session.type = file
 session.data_dir = %(here)s/data/sessions/data
 session.lock_dir = %(here)s/data/sessions/lock
 session.key = {{project}}
-session.secret = your_app_secret_string
+session.secret = {{random_string}}
 
 [pipeline:main]
 pipeline = egg:WebError#evalerror
diff --git a/pyramid/paster_templates/pylons_sqla/development.ini_tmpl b/pyramid/paster_templates/pylons_sqla/development.ini_tmpl
index 82d55950b..936d41b29 100644
--- a/pyramid/paster_templates/pylons_sqla/development.ini_tmpl
+++ b/pyramid/paster_templates/pylons_sqla/development.ini_tmpl
@@ -12,7 +12,7 @@ session.type = file
 session.data_dir = %(here)s/data/sessions/data
 session.lock_dir = %(here)s/data/sessions/lock
 session.key = {{project}}
-session.secret = your_app_secret_string
+session.secret = {{random_string}}
 
 [pipeline:main]
 pipeline =