Commit Graph

868 Commits (snyk-fix-d4426f7cdb30767e4252b5a6d73a2f7c)

Author SHA1 Message Date
Kevin Chung 0bae69bee4
Prevent double confirmations from happening (#1253)
* Prevents user from confirming their account twice
2020-02-17 21:46:24 -05:00
Kevin Chung 7cd8d90e0c
2.3.1 dev (#1252)
2.3.1 / 2020-02-17
==================

**General**
* User confirmation emails now have the correct URL format
2020-02-17 20:07:17 -05:00
Kevin Chung 22c132358e
2.3.0 (#1248)
2.3.0 / 2020-02-17
==================

**General**
* During setup, admins can register their email address with the CTFd LLC newsletter for news and updates
* Fix editting hints from the admin panel
* Allow admins to insert HTML code directly into the header and footer (end of body tag) of pages. This replaces and supercedes the custom CSS feature.
    * The `views.custom_css` route has been removed.
* Admins can now customize the content of outgoing emails and inject certain variables into email content.
* The `manage.py` script can now manipulate the CTFd Configs table via the `get_config` and `set_config` commands. (e.g. `python manage.py get_config ctf_theme` and `python manage.py set_config ctf_theme core`)

**Themes**
* Themes should now reference the `theme_header` and `theme_footer` configs instead of the `views.custom_css` endpoint to allow for user customizations. See the `base.html` file of the core theme.

**Plugins**
* Make `ezq` functions available to `CTFd.js` under `CTFd.ui.ezq`

**Miscellaneous**
* Python imports sorted with `isort` and import order enforced
* Black formatter running on a majority of Python code
2020-02-17 02:17:25 -05:00
Kevin Chung 354954bbe9
Add config manipulation to manage.py (#1233)
* Adds `get_config` and `set_config` commands to `manage.py` to manipulate the Config table from a CLI
* Closes #1226
2020-02-12 01:27:06 -05:00
Kevin Chung 1049a14b90
Fix SMTP email From header and remove 'Admin' from the From header (#1229)
* Fix SMTP email From header and remove 'Admin' from the From header
2020-02-11 21:35:58 -05:00
Kevin Chung 309e62520e
Fix dynamic challenge hint loading (#1224)
* Fixes hint loading for dynamic challenges
2020-01-28 22:16:44 -05:00
Kevin Chung d59bfa3578
Mark 2.2.3 (#1222)
2.2.3 / 2020-01-21
==================

### This release includes a critical security fix for CTFd versions >= 2.0.0

All CTFd administrators are recommended to take the following steps:
1. Upgrade their installations to the latest version
2. Rotate the `SECRET_KEY` value
3. Reset the passwords for all administrator users

**Security**
* This release includes a fix for a vulnerability allowing an arbitrary user to take over other accounts given their username and a CTFd instance with emails enabled

**General**
* Users will receive an email notification when their passwords are reset
* Fixed an error when users provided incorrect team join information
2020-01-21 00:06:03 -05:00
Kevin Chung a2551db690
Add a password change notification email (#1221)
* Adds an email notification for password resets
2020-01-20 23:05:44 -05:00
Kevin Chung 60c46af58a
Sign sessions using SECRET_KEY to simplify revocation (#1219)
* Sign sessions using `SECRET_KEY`
* Add `CTFd.utils.security.signing.sign` and `CTFd.utils.security.signing.unsign`
2020-01-20 21:53:08 -05:00
Kevin Chung 83efc4d5eb
Fix error with invalid team information and team size limits (#1220)
* Fix error when joining teams with a size limit
2020-01-20 20:34:11 -05:00
Kevin Chung f660ed1fb7
Strip spaces on registration and have reset password use email address instead of names (#1218)
* Usernames are now properly stripped before being used in registration checks
* Reset password function now uses email addresses instead of user names for tokens
* Prevent MLC users from resetting their password
2020-01-20 14:22:06 -05:00
Kevin Chung fe85fdf1e5
Mark 2.2.2 (#1212)
2.2.2 / 2020-01-09
==================

**General**
* Add jQuery, Moment, nunjucks, and Howl to window globals to make it easier for plugins to access JS modules
* Fix issue with timezone loading in config page which was preventing display of CTF times
2020-01-09 20:32:50 -05:00
Kevin Chung d37805b6fe
Fix timezone loading in time config page (#1211)
* Fix an issue where CTF times could not be displayed in the admin panel because timezones weren't available
2020-01-09 18:41:41 -05:00
Kevin Chung d30bd182d2
Add jQuery, Moment, nunjucks, and Howl to window globals (#1209)
* Add jQuery, Moment, nunjucks, and Howl to window globals
2020-01-08 18:06:15 -05:00
Kevin Chung dc492c97af
Mark 2.2.1 (#1208)
2.2.1 / 2020-01-04
==================

**General**
* Fix issue preventing admins from creating users or teams
* Fix issue importing backups that contained empty directories
2020-01-04 01:20:50 -05:00
fengkx 7ff6163309 fix: fix import uploads (#1173)
* Fixes issue with importing backups that contain invalid empty directories
2020-01-03 23:56:12 -05:00
Kevin Chung 5b65a6ced0
Remove CTFd Slack references in README to reference MLC Discourse (#1204)
* Replace references to the CTFd Slack with MLC Discourse references
2020-01-03 23:07:46 -05:00
Kevin Chung d5128c2fa4
Seperate out admin theme from core more to fix #1200 (#1202)
* Separate out admin theme from core more to fix #1200
2020-01-03 22:18:05 -05:00
Kevin Chung b8d0f80d01
2.2.0 (#1188)
2.2.0 / 2019-12-22
==================

## Notice
2.2.0 focuses on updating the front end of CTFd to use more modern programming practices and changes some aspects of core CTFd design. If your current installation is using a custom theme or custom plugin with ***any*** kind of JavaScript, it is likely that you will need to upgrade that theme/plugin to be useable with v2.2.0. 

**General**
* Team size limits can now be enforced from the configuration panel
* Access tokens functionality for API usage
* Admins can now choose how to deliver their notifications
    * Toast (new default)
    * Alert
    * Background
    * Sound On / Sound Off
* There is now a notification counter showing how many unread notifications were received
* Setup has been redesigned to have multiple steps
    * Added Description
    * Added Start time and End time,
    * Added MajorLeagueCyber integration
    * Added Theme and color selection
* Fixes issue where updating dynamic challenges could change the value to an incorrect value
* Properly use a less restrictive regex to validate email addresses
* Bump Python dependencies to latest working versions
* Admins can now give awards to team members from the team's admin panel page

**API**
* Team member removals (`DELETE /api/v1/teams/[team_id]/members`) from the admin panel will now delete the removed members's Submissions, Awards, Unlocks

**Admin Panel**
* Admins can now user a color input box to specify a theme color which is injected as part of the CSS configuration. Theme developers can use this CSS value to change colors and styles accordingly.
* Challenge updates will now alert you if the challenge doesn't have a flag
* Challenge entry now allows you to upload files and enter simple flags from the initial challenge creation page

**Themes**
* Significant JavaScript and CSS rewrite to use ES6, Webpack, yarn, and babel
* Theme asset specially generated URLs
    * Static theme assets are now loaded with either .dev.extension or .min.extension depending on production or development (i.e. debug server)
    * Static theme assets are also given a `d` GET parameter that changes per server start. Used to bust browser caches.
* Use `defer` for script tags to not block page rendering
* Only show the MajorLeagueCyber button if configured in configuration
* The admin panel now links to https://help.ctfd.io/ in the top right
* Create an `ezToast()` function to use [Bootstrap's toasts](https://getbootstrap.com/docs/4.3/components/toasts/)
* The user-facing navbar now features icons
* Awards shown on a user's profile can now have award icons
* The default MarkdownIt render created by CTFd will now open links in new tabs
* Country flags can now be shown on the user pages

**Deployment**
* Switch `Dockerfile` from `python:2.7-alpine` to `python:3.7-alpine`
* Add `SERVER_SENT_EVENTS` config value to control whether Notifications are enabled
* Challenge ID is now recorded in the submission log

**Plugins**
* Add an endpoint parameter to `register_plugin_assets_directory()` and `register_plugin_asset()` to control what endpoint Flask uses for the added route

**Miscellaneous**
* `CTFd.utils.email.sendmail()` now allows the caller to specify subject as an argument
    * The subject allows for injecting custom variable via the new `CTFd.utils.formatters.safe_format()` function
* Admin user information is now error checked during setup
* Added yarn to the toolchain and the yarn dev, yarn build, yarn verify, and yarn clean scripts
* Prevent old CTFd imports from being imported
2019-12-22 23:17:34 -05:00
Christian Clauss 6d192a7c14 Fix NameError in 1_2_0_upgrade_2_0_0.py
Fixes a NameError in `1_2_0_upgrade_2_0_0.py`
2019-12-19 21:26:19 -05:00
Dave 97f5dcaf8c Strip password before length check (#1155)
* Strip password before length check
* Pin black to an older version
2019-11-05 23:25:39 -05:00
Kevin Chung 6c5c63d667
Don't redirect the /events endpoint to login (#1132)
* Detect `text/event-stream` in `authed_only` to prevent unnecessary redirects to `/login`
2019-10-11 23:18:44 -07:00
Kevin Chung a9b2fe15e3
Mark 2.1.5 (#1126)
2.1.5 / 2019-10-2
=================

**General**
* Fixes `flask run` debug server by not monkey patching in `wsgi.py`
* Fix CSV exports in Python 3 by converting StringIO to BytesIO
* Avoid exception on sessions without a valid user and force logout
* Fix several issues in Vagrant provisioning

**API**
* Prevent users from nulling out profile values and breaking certain pages
2019-10-02 02:25:30 -04:00
Kevin Chung b15f1787e4
Prevent users from nulling out profile values (#1125)
* Prevent users from nulling out profile values
2019-10-02 01:22:54 -04:00
Kevin Chung b8c1970b8e
Fix CSV exports in Python 3 by converting StringIO to BytesIO (#1107)
* Fix CSV exports in Python 3 by converting StringIO to BytesIO
2019-09-10 03:22:01 -04:00
Kevin Chung 607c517d28
Avoid exception on session without a valid user and force logout (#1106)
* Avoid exception on sessions without a valid user and force logout
2019-09-09 21:18:07 -04:00
Joshua Dugie cee6fe3593 Fix several issues in Vagrant provisioning (#1046)
* Fixes to Vagrantfile
2019-09-08 13:04:48 -04:00
Kevin Chung 7a7595cf03
Fix flask run by not monkey patching for gevent in wsgi.py (#1101)
* Fixes `flask run` debug server by not monkey patching in `wsgi.py`
* Closes #1099
2019-09-05 19:50:52 -04:00
Kevin Chung 3b1b82b9a0
Mark 2.1.4 (#1096)
2.1.4 / 2019-08-30
==================

**General**
* Make user pages show the team's score and place information instead of the user's information if in team mode
* Allow admins to search users by IP address
* Require password for email address changes in the user profile
* The place indicator in `Teams Mode` on the team pages and user pages now correctly excludes hidden teams
* Fix scoreboard place ordinalization in Python 3
* Fix for a crash where imports will fail on SQLite due to lack of ALTER command support
* Fix for an issue where files downloaded via S3 would have the folder name in the filename
* Make `Users.get_place()` and `Teams.get_place()` for return None instead of 0 if the account has no rank/place
* Properly redirect users or 403 if the endpoint requires a team but the user isn't in one
* Show affiliation in user and team pages in the admin panel and public and private user and team pages

**Themes**
* Remove invalid `id='submit'` on submit buttons in various theme files
* Set `tabindex` to 0 since we don't really care for forcing tab order
* Rename `statistics.js` to `graphs.js` in the Admin Panel as it was identified that adblockers can sometimes block the file

**API**
* The team profile endpoint (`/api/v1/teams/me`) will now return 403 instead of 400 if the requesting user is not the captain
* The Challenge API will now properly freeze the solve count to freeze time
2019-08-31 14:45:08 -04:00
Kevin Chung c88e0556eb
1092 fix solve count leak during freeze (#1095)
* Challenges properly get solve count during freeze time
* Closes #1092
2019-08-29 23:22:24 -04:00
MartinJM 941ca8f506 The place indicator on the team page now excludes counting hidden teams (#1094)
* The place indicator in Team Mode on the team pages and user pages now excludes counting hidden teams.
* Updated `flask-marshmallow` to 0.10.1, `marshmallow-sqlalchemy` to 0.17.0 
* Pinned `marshmallow` to 2.20.2
* Closes #1093
* Closes #1088
2019-08-29 22:04:05 -04:00
Kevin Chung 75a9a5a697
Rename statistics.js to graphs.js (#1086)
* Rename `statistics.js` to `graphs.js` in the admin panel to avoid getting blocked by ad blockers
2019-08-17 20:06:22 -04:00
Kevin Chung bef5f1796b
Fix broken buttons by not hijacking click event without data-href attribute (#1081)
* Fix broken buttons by not hijacking click event without `data-href` attribute
2019-08-09 00:35:29 -04:00
Kevin Chung 5c4f1d78fa
Remove invalid id='submit' on submit buttons and correctly set tabindex to 0 (#1080)
* Remove invalid id='submit' on submit buttons
* Set `tabindex` to 0 since we don't really care for forcing tab order.
2019-08-08 18:27:44 -04:00
Kevin Chung 71240bb13d
Require password for email change (#1077)
* Require password for email changes
2019-08-04 20:28:20 -04:00
Kevin Chung 3453eafcab
Flaky redis events tests (#1072)
* Fix flaky redis tests
* Add a random integer helper for tests
2019-07-30 03:25:29 -04:00
Sachin S. Kamath 34bab12a99 Add feature to search users by IP address (#1059)
* Allows admins to search users by IP address
* Closes #1054
2019-07-30 01:09:41 -04:00
Kevin Chung cf7959ab16
Attempt to fix randomly failing tests (#1071)
* Fix flaky tests that require redis which were occasionally failing
2019-07-29 23:15:26 -04:00
Kevin Chung 2bdf7b64d6
Fix place ordinal calculation (#1067)
* Fix scoreboard place ordinalization in Python 3
* Extract ordinalization code to `CTFd.utils.humanize.numbers.ordinalize`.
2019-07-24 01:44:20 -04:00
Kevin Chung f2e0b9e8b5
Add argparse to populate.py and fix some lints (#1064)
* Make `populate.py` configurable from command line
2019-07-21 15:08:37 -04:00
Kevin Chung bf05b30d56
Don't reuse used oauth_ids in populate.py (#1062)
* Fix `populate.py` from using an `oauth_id` twice.
2019-07-16 21:52:39 -04:00
Kevin Chung 1c9e36fa8f
Show affiliation in user and team pages in the admin panel (#1037)
* Show affiliation in user and team pages in the admin panel and public and private user and team pages. 
* Make user pages show team information (score, place) instead of user information if in team mode. 
* Make `Users.get_place()` and `Teams.get_place()` for return None instead of 0 if the account has no rank. (Closes #1039)
* Make `populate.py` randomly add affiliations and officials
2019-07-12 07:14:08 -04:00
Kevin Chung b453125726
Fix missing Team API exceptions (#1058)
* Add require_team decorator to endpoints that request teams.
* Change status code for captain endpoints to return 403 instead of 400
2019-07-12 00:53:35 -04:00
Kevin Chung f033f16490
Fix S3 file downloads to not contain the folder name (#1056)
* Fixes a bug in S3 downloads where a downloaded file would have its parent folder name in the filename
2019-07-11 17:04:32 -04:00
Kevin Chung 9b07f4ecf9
Revert "Switch Dockerfile from python:2.7-alpine to python:3.7-alpine (#1055)" (#1057)
This reverts commit 7eff04dc4c.
2019-07-10 22:58:38 -04:00
Kevin Chung 7eff04dc4c
Switch Dockerfile from python:2.7-alpine to python:3.7-alpine (#1055) 2019-07-10 01:16:23 -04:00
Sachin S. Kamath 93170e4a9d Fixed minor error in plugin doc (#1053)
Signed-off-by: Sachin Kamath <sskamath96@gmail.com>
2019-07-08 00:18:49 -04:00
Kevin Chung 56342bedc5
Minor docs fix (#1050)
* Rework scoring formats section
2019-07-04 13:49:16 -04:00
Kevin Chung 78fee9667a
Docs scoring page (#1049)
* Bump docs version to 2.1.3.
* Add documentation on scoreboard integrations. 
* Add logo to documentation.
2019-07-04 12:11:10 -04:00
Kevin Chung 8b3bb92c9d
Only add team_captain_id foreign key if the db backend isn't SQLite (#1048)
* Only add `teams.team_captain_id` foreign key if the db backend isn't SQLite. SQLite does not support ALTER for the manipulation of columns/constraints. 
* Closes #1041
2019-07-03 00:04:50 -04:00