Application templates for wordpress and rails (at a minimum) have hardcoded session secret keys in their configuration that would expose users creating new applications from those templates to session security vulnerabilities unless the developer changes it. Since we can't safely assume users will change those, the quickstart source we need will have to generate those the first time they are deployed and then read from the file. Recommend in Rails example the secret_token.rb file attempt to read it from a file in the data dir, and if it doesn't exist,create a new one based on a source of entropy on the system. There's a pull request for wordpress from a community member who demonstrates a fix (https://github.com/openshift/wordpress-example/pull/3) - recommend we merge that. We can't ship application templates that have this vulnerability. Need to security review all app templates for source.
Reach out to the evangelism team (through Grant) to get help fixing the other templates as needed. Templates can't go live until this is resolved.
Created attachment 587892 [details] Warning for templates
Currently, we are providing the users with a warning banner when creating templates that tells them to check the README file in the git repo for additional information. Going forward, we will figure out the best way to handle this.
This has been converted to a User Story, https://rally1.rallydev.com/#/4670513817d/detail/userstory/6600022116. Closing the bug.