安全修复：加固CSRF与凭证保护并修复越权风险

app_config.py

@@ -33,6 +33,23 @@ except ImportError:
 SECRET_KEY_FILE = "data/secret_key.txt"
 
 
+def _ensure_private_dir(path: str) -> None:
+    if not path:
+        return
+    os.makedirs(path, mode=0o700, exist_ok=True)
+    try:
+        os.chmod(path, 0o700)
+    except Exception:
+        pass
+
+
+def _ensure_private_file(path: str) -> None:
+    try:
+        os.chmod(path, 0o600)
+    except Exception:
+        pass
+
+
 def get_secret_key():
     """获取SECRET_KEY（优先环境变量）"""
     # 优先从环境变量读取
@@ -42,14 +59,16 @@ def get_secret_key():
 
     # 从文件读取
     if os.path.exists(SECRET_KEY_FILE):
+        _ensure_private_file(SECRET_KEY_FILE)
         with open(SECRET_KEY_FILE, "r") as f:
             return f.read().strip()
 
     # 生成新的
     new_key = os.urandom(24).hex()
-    os.makedirs("data", exist_ok=True)
+    _ensure_private_dir("data")
     with open(SECRET_KEY_FILE, "w") as f:
         f.write(new_key)
+    _ensure_private_file(SECRET_KEY_FILE)
     print(f"[OK] 已生成新的SECRET_KEY并保存到 {SECRET_KEY_FILE}")
     return new_key
 
@@ -203,7 +222,7 @@ class Config:
     SERVER_PORT = int(os.environ.get("SERVER_PORT", "51233"))
 
     # ==================== SocketIO配置 ====================
-    SOCKETIO_CORS_ALLOWED_ORIGINS = os.environ.get("SOCKETIO_CORS_ALLOWED_ORIGINS", "*")
+    SOCKETIO_CORS_ALLOWED_ORIGINS = os.environ.get("SOCKETIO_CORS_ALLOWED_ORIGINS", "")
 
     # ==================== 网站基础URL配置 ====================
     # 用于生成邮件中的验证链接等