CTFs as you need them
APACHE-2.0 License
Published by ColdHeat over 5 years ago
Security
General
linux-headers
package from apkconfig.py
Exports
tempfile.NamedTemporaryFile()
instead of memory during creationPublished by ColdHeat over 5 years ago
General
verify_emails
is enabledemail.check_email_is_whitelisted()
to verify that a user's email is whitelisted.get_config
wrapper around the internal _get_config
to let us set a default config value (Closes #659)utils.get_app_config()
from memoization and also give it a default
parameterutils.logging.init_logs()
into utils.initialization
and properly call init_logs()
to save logs to the logs folderview_after_ctf
is set.API
/api/v1/teams/<team_id>
now coerced to an int (i.e. /api/v1/teams/<int:team_id>
)Deployment
LOG_FOLDER
envvar to docker-compose so we don't try to write to the read-only hostLOG_FOLDER
in docker without explicit opt-inACCESS_LOG
and ERROR_LOG
envvars to docker to specify where gunicorn will log toDATABASE_URL
to contain custom MySQL ports for docker-entrypoint.sh
WORKERS
count to 1 to avoid dealing with Flask-SocketIO sticky sessions'gevent-websocket
and use it by default until we have a better solutionPublished by ColdHeat almost 6 years ago
Security Release
This release resolves a security issue that allowed malicious users to hijack admin browser sessions in certain browsers under certain configurations.
The implemented fix is to require the new CSRF-Token
header on state-changing requests with a Content-Type of application/json.
The same nonce used for standard POST requests is re-used for the CSRF-Token
header.
Because of the necessary changes to the API, the previously used call to fetch()
in themes should now be replaced with CTFd.fetch()
.
If you have questions or need help upgrading, please reach out in the CTFd Slack
Security
CSRF-Token
header on all API requests.GET
, HEAD
, OPTIONS
, and TRACE
.SameSite=Lax
General
update_check()
logic so that we don't accidentally remove the update notification.Themes
script_root
in public JS.
CTFd.fetch()
function (defined in CTFd.js
) and properly register the url root and CSRF nonce in base.html
as shown below:var script_root = "{{ request.script_root }}";
var csrf_nonce = "{{ nonce }}";
CTFd.options.urlRoot = script_root;
CTFd.options.csrfNonce = csrf_nonce;
url_for('views.themes')
no longer requires the themes parameter. It now defaults to the currently in-use theme.Published by ColdHeat almost 6 years ago
General
request.path
to combine both request.script_root
and request.path
.
request.full_path
instead of just request.path
.TestingConfig.SAFE_MODE
not being reset between tests.value
input in dynamic challenge update field since we calculate it on the user's behalf.normality
version because of an upstream issue in dataset
.500
's when users submit non-integer values to ?page=1
API
/api/v1/notifications/<id>
to allow accessing notifactions by ID.
account_url
field to the response of /api/v1/<challenge_id>/solves
so the client knows where an account is located.Plugins
Published by ColdHeat almost 6 years ago
2.0.1 is a patch release to fix regressions and bugs in 2.0.0.
If you are upgrading from a version prior to 2.0.0 please read the 2.0.0 change notes for instructions on updating to 2.0.0 before updating to 2.0.1.
General
get_smtp()
.
MAIL_USEAUTH
to config.py
.config.py
.cache_size
to 0 (#662)Themes
confirm.html
to use the variable user instead of teamAPI
mail_username
, mail_password
/api/v1/hints/<id>?preview=true
for use by adminsExports
S3Uploader
in Python 3 and fix testPublished by ColdHeat almost 6 years ago
2.0.0 is a significant, backwards-incompaitble release.
Many unofficial plugins will not be supported in CTFd 2.0.0. If you're having trouble updating your plugins
please join the CTFd Slack for help and discussion.
If you are upgrading from a prior version be sure to make backups and have a reversion plan before upgrading.
migrations/1_2_0_upgrade_2_0_0.py
script as follows:
git pull
) but do not run any updated code yet.DATABASE_URL
in CTFd/config.py
to point to your existing CTFd database.python migrations/1_2_0_upgrade_2_0_0.py
.
General
fetch()
to consume the REST API.filesystem
or redis
) allowing for session revocation.CTfd/.data/filesystem_cache
.docker-entrypoint.sh
defaults to 1. (#716)docker-entrypoint.sh
exits on any error. (#717)SAFE_MODE
configuration to disable loading of plugins.Themes
fetch()
to consume the REST API.url_for()
to generate URLs instead of hardcoding.ctf_name()
renamed to get_ctf_name()
in themes.ctf_logo()
renamed to get_ctf_logo()
in themes.ctf_theme()
renamed to get_ctf_theme()
in themes.accounts_visible()
, challenges_visible()
, registration_visible()
, scores_visible()
Plugins
sorted()
order.html
and have simplified names. (create, update, view)SAFE_MODE
configuration to disable loading of plugins.Published by ColdHeat over 6 years ago
General
flask run
instead of python serve.py
./chals
endpoint no longer lists the details of challenges.
/chals/:id
endpoint is now used to load challenge information before display.nose-randomly
.Themes
marked
library to Markdown-It
for client side markdown rendering.
ezpg()
JS function to make it easier to draw a progressbar modal.$.patch()
AJAX wrapper.teams.html
.admin
, verified
, visible
.Plugins
preRender()
, render()
, postRender()
, submit()
).
modal.njk
) now use {{ description }}
instead of {{ desc }}
properly aligning with the database schema.utils.base64decode()
& utils.base64encode()
functions no longer expose url encoding/decoding parameters.Published by ColdHeat over 6 years ago
General
Themes
Published by ColdHeat over 6 years ago
General
Themes
Plugins
Published by ColdHeat almost 7 years ago
General
Themes
Published by ColdHeat almost 7 years ago
General
Themes
update()
function now has a callback instead of being hardcoded.chalboard.js
now passes script_root
into the Nunjucks templates so that file downloads work properly under subdirectories.Published by ColdHeat almost 7 years ago
Themes
ezq.js
, a simple Bootstrap modal wrapper.Database
Keys.key_type
has been renamed to Keys.type
.Challenge Type Plugins
General
versioning.ctfd.io
. Admins will see in the admin panel that CTFd can be updated.submitkey()
function now takes an optional callback.utils.get_config()
no longer looks at app.config
values. Instead use utils.get_app_config()
.Published by ColdHeat almost 7 years ago
CTFd.plugins.register_plugin_assets_directory
registers a directory to be servedCTFd.plugins.register_plugin_asset
registers a file to be servedCTFd.plugins. register_admin_plugin_menu_bar
CTFd.plugins. register_user_page_menu_bar
config.json
to define plugin attributes in lieu of config.html. Backwards compatibility has been maintained. With config.json
, plugins can now control where the user is linked to instead of being directed to config.html.CTFd.plugins
wrappers./team
endpoint which takes the user to their own public profile.prepare.sh
is now marked executable.Always backup your database before upgrading!
Published by ColdHeat about 7 years ago
utils.register_plugin_script()
utils.register_plugin_stylesheet()
Published by ColdHeat over 7 years ago
override_template()
function allowing plugins to replace the content of any template loaded by CTFdPublished by ColdHeat over 7 years ago
Published by ColdHeat over 7 years ago
Always backup database before upgrading!
Published by ColdHeat over 7 years ago