JohnHammond
/
CTFd
mirror of https://github.com/JohnHammond/CTFd.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixing CSRF issues and expanding trusted proxies to local network

selenium-screenshot-testing
CodeKevin 2016-02-06 15:38:14 -05:00
parent c336ad6fd1
commit 1dcba3a264
4 changed files with 38 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CTFd/templates/login.html
View File

@ -60,6 +60,7 @@
<button type="submit" id="submit" tabindex="5" class="btn btn-md btn-theme btn-outlined pull-right">Submit</button>
</div>
</div>
<input type="hidden" name="nonce" value="{{ nonce }}">
</form>
</div>
</div>

1
CTFd/templates/register.html
View File

@ -56,6 +56,7 @@
<button type="submit" id="submit" tabindex="5" class="btn btn-md btn-theme btn-outlined pull-right">Submit</button>
</div>
</div>
<input type="hidden" name="nonce" value="{{ nonce }}">
</form>
</div>
</div>

42
CTFd/utils.py
View File

@ -1,9 +1,9 @@
from CTFd.models import db, WrongKeys, Pages, Config
from CTFd.models import db, WrongKeys, Pages, Config, Tracking
from CTFd import mail
from six.moves.urllib.parse import urlparse, urljoin
from functools import wraps
from flask import current_app as app, g, request, redirect, url_for, session, render_template
from flask import current_app as app, g, request, redirect, url_for, session, render_template, abort
from flask.ext.mail import Message
from socket import inet_aton, inet_ntoa
from struct import unpack, pack
@ -18,6 +18,7 @@ import requests
import logging
import os
import sys
import re
def init_logs(app):
@ -78,6 +79,7 @@ def init_errors(app):
def gateway_error(error):
return render_template('errors/502.html'), 502
def init_utils(app):
app.jinja_env.filters['unix_time'] = unix_time
app.jinja_env.filters['unix_time_millis'] = unix_time_millis
@ -89,7 +91,7 @@ def init_utils(app):
@app.context_processor
def inject_user():
if authed():
if session:
return dict(session)
return dict()
@ -100,6 +102,27 @@ def init_utils(app):
if not is_setup():
return redirect(url_for('views.setup'))
@app.before_request
def tracker():
if authed():
track = Tracking.query.filter_by(ip=ip2long(get_ip()), team=session['id']).first()
if not track:
visit = Tracking(ip=get_ip(), team=session['id'])
db.session.add(visit)
db.session.commit()
else:
track.date = datetime.datetime.utcnow()
db.session.commit()
db.session.close()
@app.before_request
def csrf():
if not session.get('nonce'):
session['nonce'] = sha512(os.urandom(10))
if request.method == "POST":
if session['nonce'] != request.form.get('nonce'):
abort(403)
def ctf_name():
name = get_config('ctf_name')
@ -207,11 +230,18 @@ def unix_time_millis(dt):
def get_ip():
trusted_proxies = {'127.0.0.1'} # define your own set
trusted_proxies = [
'^127\.0\.0\.1$',
'^::1$',
'^fc00:',
'^10\.',
'^172\.(1[6-9]|2[0-9]|3[0-1])\.',
'^192\.168\.'
]
combined = "(" + ")|(".join(trusted_proxies) + ")"
route = request.access_route + [request.remote_addr]
remote_addr = next((addr for addr in reversed(route)
if addr not in trusted_proxies), request.remote_addr)
remote_addr = next((addr for addr in reversed(route) if re.match(combined, addr)), request.remote_addr)
return remote_addr

21
CTFd/views.py
View File

@ -17,27 +17,6 @@ import datetime
views = Blueprint('views', __name__)
@views.before_request
def tracker():
if authed():
track = Tracking.query.filter_by(ip=ip2long(get_ip()), team=session['id']).first()
if not track:
visit = Tracking(ip=get_ip(), team=session['id'])
db.session.add(visit)
db.session.commit()
else:
track.date = datetime.datetime.utcnow()
db.session.commit()
db.session.close()
@views.before_request
def csrf():
if request.method == "POST":
if session['nonce'] != request.form.get('nonce'):
abort(403)
@views.before_request
def redirect_setup():
if request.path == "/static/css/style.css":