Commit Graph

46 Commits (2cfc89d4c27ca66983a22877bbb53d4e3e20fbcc)

Author SHA1 Message Date
Kevin Chung 2c4259c999 Bump release date 2020-05-04 01:04:37 -04:00
Kevin Chung 7779175eea Set date 2020-05-03 03:22:43 -04:00
Kevin Chung ba4fce4736 Update changelog 2020-05-02 23:18:54 -04:00
Kevin Chung 735faf0e23 Mark new version and add rough changelog 2020-05-02 02:49:03 -04:00
Kevin Chung 4b6c9ec8bd
Mark 2.3.3 (#1316)
2.3.3 / 2020-04-12
==================

**General**
* Re-enable the Jinja LRU Cache for **significant speedups** when returning HTML content

**API**
* `POST /api/v1/unlocks` will no longer allow duplicate unlocks to happen

**Admin Panel**
* Makes `Account Visibility` subtext clearer by explaining the `Private` setting in Config Panel

**Themes**
* Fixes an issue with using a theme with a purely numeric name
* Fixes issue where the scoreboard graph always said Teams regardless of mode

**Miscellaneous**
* Bump max log file size to 10 MB and fix log rotation
* Docker image dependencies (apk & pip) are no longer cached reducing the image size slightly
2020-04-12 15:33:00 -04:00
Kevin Chung d80051bcda
Mark 2.3.2 (#1292)
2.3.2 / 2020-03-15
==================

**General**
* Fix awards not being properly assigned to teams in `TEAMS_MODE`

**API**
* Set `/api/v1/statistics/users` route to be admins_only
* When POST'ing to `/api/v1/awards`, CTFd will look up a user's team ID if `team_id` is not specified

**Admin Panel**
* Adds a setting to registration visibility to allow for MLC registration while registration is disabled
* Fix setting theme color during the setup flow and from the Admin Panel

**Themes**
* Fixes users/admins being able to remove profile settings.
    * Previously a bug prevented users from removing some profile settings. Now the `core` theme stores the initial value of inputs as a `data` attribute and checks for changes when updating data. This should be a temporary hack until a proper front-end framework is in place.
* Fix `ezToast()` issue that was keeping toast messages visible indefinitely
* Fix `modal-body` parameters in ezq.js for `ezAlert` and `ezQuery` and fix the progress bar for certain cases in `ezProgressBar`
* Use `authed()` function to check if user is authed in `base.html`. This fixes an issue where a page could look as if the user was logged in.

**Miscellaneous**
* Fix behavior for `REVERSE_PROXY` config setting when set to a boolean instead of a string
* Improve `Dockerfile` to run fewer commands and re-use the build cache
* Add `make coverage` to generate an HTML coverage report
* Update `coverage` and `pytest-cov` development dependencies
2020-03-15 15:33:28 -04:00
Kevin Chung 7cd8d90e0c
2.3.1 dev (#1252)
2.3.1 / 2020-02-17
==================

**General**
* User confirmation emails now have the correct URL format
2020-02-17 20:07:17 -05:00
Kevin Chung 22c132358e
2.3.0 (#1248)
2.3.0 / 2020-02-17
==================

**General**
* During setup, admins can register their email address with the CTFd LLC newsletter for news and updates
* Fix editting hints from the admin panel
* Allow admins to insert HTML code directly into the header and footer (end of body tag) of pages. This replaces and supercedes the custom CSS feature.
    * The `views.custom_css` route has been removed.
* Admins can now customize the content of outgoing emails and inject certain variables into email content.
* The `manage.py` script can now manipulate the CTFd Configs table via the `get_config` and `set_config` commands. (e.g. `python manage.py get_config ctf_theme` and `python manage.py set_config ctf_theme core`)

**Themes**
* Themes should now reference the `theme_header` and `theme_footer` configs instead of the `views.custom_css` endpoint to allow for user customizations. See the `base.html` file of the core theme.

**Plugins**
* Make `ezq` functions available to `CTFd.js` under `CTFd.ui.ezq`

**Miscellaneous**
* Python imports sorted with `isort` and import order enforced
* Black formatter running on a majority of Python code
2020-02-17 02:17:25 -05:00
Kevin Chung d59bfa3578
Mark 2.2.3 (#1222)
2.2.3 / 2020-01-21
==================

### This release includes a critical security fix for CTFd versions >= 2.0.0

All CTFd administrators are recommended to take the following steps:
1. Upgrade their installations to the latest version
2. Rotate the `SECRET_KEY` value
3. Reset the passwords for all administrator users

**Security**
* This release includes a fix for a vulnerability allowing an arbitrary user to take over other accounts given their username and a CTFd instance with emails enabled

**General**
* Users will receive an email notification when their passwords are reset
* Fixed an error when users provided incorrect team join information
2020-01-21 00:06:03 -05:00
Kevin Chung fe85fdf1e5
Mark 2.2.2 (#1212)
2.2.2 / 2020-01-09
==================

**General**
* Add jQuery, Moment, nunjucks, and Howl to window globals to make it easier for plugins to access JS modules
* Fix issue with timezone loading in config page which was preventing display of CTF times
2020-01-09 20:32:50 -05:00
Kevin Chung dc492c97af
Mark 2.2.1 (#1208)
2.2.1 / 2020-01-04
==================

**General**
* Fix issue preventing admins from creating users or teams
* Fix issue importing backups that contained empty directories
2020-01-04 01:20:50 -05:00
Kevin Chung b8d0f80d01
2.2.0 (#1188)
2.2.0 / 2019-12-22
==================

## Notice
2.2.0 focuses on updating the front end of CTFd to use more modern programming practices and changes some aspects of core CTFd design. If your current installation is using a custom theme or custom plugin with ***any*** kind of JavaScript, it is likely that you will need to upgrade that theme/plugin to be useable with v2.2.0. 

**General**
* Team size limits can now be enforced from the configuration panel
* Access tokens functionality for API usage
* Admins can now choose how to deliver their notifications
    * Toast (new default)
    * Alert
    * Background
    * Sound On / Sound Off
* There is now a notification counter showing how many unread notifications were received
* Setup has been redesigned to have multiple steps
    * Added Description
    * Added Start time and End time,
    * Added MajorLeagueCyber integration
    * Added Theme and color selection
* Fixes issue where updating dynamic challenges could change the value to an incorrect value
* Properly use a less restrictive regex to validate email addresses
* Bump Python dependencies to latest working versions
* Admins can now give awards to team members from the team's admin panel page

**API**
* Team member removals (`DELETE /api/v1/teams/[team_id]/members`) from the admin panel will now delete the removed members's Submissions, Awards, Unlocks

**Admin Panel**
* Admins can now user a color input box to specify a theme color which is injected as part of the CSS configuration. Theme developers can use this CSS value to change colors and styles accordingly.
* Challenge updates will now alert you if the challenge doesn't have a flag
* Challenge entry now allows you to upload files and enter simple flags from the initial challenge creation page

**Themes**
* Significant JavaScript and CSS rewrite to use ES6, Webpack, yarn, and babel
* Theme asset specially generated URLs
    * Static theme assets are now loaded with either .dev.extension or .min.extension depending on production or development (i.e. debug server)
    * Static theme assets are also given a `d` GET parameter that changes per server start. Used to bust browser caches.
* Use `defer` for script tags to not block page rendering
* Only show the MajorLeagueCyber button if configured in configuration
* The admin panel now links to https://help.ctfd.io/ in the top right
* Create an `ezToast()` function to use [Bootstrap's toasts](https://getbootstrap.com/docs/4.3/components/toasts/)
* The user-facing navbar now features icons
* Awards shown on a user's profile can now have award icons
* The default MarkdownIt render created by CTFd will now open links in new tabs
* Country flags can now be shown on the user pages

**Deployment**
* Switch `Dockerfile` from `python:2.7-alpine` to `python:3.7-alpine`
* Add `SERVER_SENT_EVENTS` config value to control whether Notifications are enabled
* Challenge ID is now recorded in the submission log

**Plugins**
* Add an endpoint parameter to `register_plugin_assets_directory()` and `register_plugin_asset()` to control what endpoint Flask uses for the added route

**Miscellaneous**
* `CTFd.utils.email.sendmail()` now allows the caller to specify subject as an argument
    * The subject allows for injecting custom variable via the new `CTFd.utils.formatters.safe_format()` function
* Admin user information is now error checked during setup
* Added yarn to the toolchain and the yarn dev, yarn build, yarn verify, and yarn clean scripts
* Prevent old CTFd imports from being imported
2019-12-22 23:17:34 -05:00
Kevin Chung a9b2fe15e3
Mark 2.1.5 (#1126)
2.1.5 / 2019-10-2
=================

**General**
* Fixes `flask run` debug server by not monkey patching in `wsgi.py`
* Fix CSV exports in Python 3 by converting StringIO to BytesIO
* Avoid exception on sessions without a valid user and force logout
* Fix several issues in Vagrant provisioning

**API**
* Prevent users from nulling out profile values and breaking certain pages
2019-10-02 02:25:30 -04:00
Kevin Chung 3b1b82b9a0
Mark 2.1.4 (#1096)
2.1.4 / 2019-08-30
==================

**General**
* Make user pages show the team's score and place information instead of the user's information if in team mode
* Allow admins to search users by IP address
* Require password for email address changes in the user profile
* The place indicator in `Teams Mode` on the team pages and user pages now correctly excludes hidden teams
* Fix scoreboard place ordinalization in Python 3
* Fix for a crash where imports will fail on SQLite due to lack of ALTER command support
* Fix for an issue where files downloaded via S3 would have the folder name in the filename
* Make `Users.get_place()` and `Teams.get_place()` for return None instead of 0 if the account has no rank/place
* Properly redirect users or 403 if the endpoint requires a team but the user isn't in one
* Show affiliation in user and team pages in the admin panel and public and private user and team pages

**Themes**
* Remove invalid `id='submit'` on submit buttons in various theme files
* Set `tabindex` to 0 since we don't really care for forcing tab order
* Rename `statistics.js` to `graphs.js` in the Admin Panel as it was identified that adblockers can sometimes block the file

**API**
* The team profile endpoint (`/api/v1/teams/me`) will now return 403 instead of 400 if the requesting user is not the captain
* The Challenge API will now properly freeze the solve count to freeze time
2019-08-31 14:45:08 -04:00
Kevin Chung 2bca60790d
Mark 2.1.3 (#1036)
2.1.3 / 2019-06-22
==================

**General**
* Fix issue with downloading files after CTF end when `view_after_ctf` is enabled
* Sort solves in admin challenge view by date
* Link to appropriate user and challenge in team, user, and challenge pages
* Redirect to `/team` instead of `/challenges` after a user registers in team mode
* Fixes bug where pages marked as `hidden` weren't loading
* Remove `data-href` from `pages.html` in the Admin Panel to fix the delete button
* Add UI to handle team member removal in Admin Panel
* Fixes account links on the scoreboard page created by `update()`. They now correctly point to the user instead of undefined when in user mode.
* `utils._get_config` will now return `KeyError` instead of `None` to avoid cache misses

**Deployment**
* Use `/dev/shm` for `--worker-tmp-dir` in gunicorn in Docker
* Cache `get_place` code for users and teams.
* Install `Flask-DebugToolbar` in development
* Cache the `/scoreboard` page to avoid having to rebuild the response so often
* Make unprivileged `ctfd` user usable for mysql connection in docker-compose by having the db image create the database instead of CTFd
* Fix bug causing apache2 + mod_wsgi deployments to break

**API**
* Change `/api/v1/teams/[team_id]/members` from taking `id` to `user_id`.
    * Endpoint was unused so the API change is considered non-breaking.
* Add `account_type` and `account_url` field in `/api/v1/scoreboard`
* Separate `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` into seperate API endpoints
* Clear standings cache after award creation/deletion

**Exports**
* Temporarily disable foreign keys in MySQL, MariaDB, and Postgres during `import_ctf()`
* Add `cache_timeout` parameter to `send_file`response in `/admin/export` to prevent the browser from caching the export

**Tests**
* Fix score changing test helpers to clear standings cache when generating a score changing row
2019-06-22 20:07:01 -07:00
Kevin Chung 49b48a9e53
Mark 2.1.2 (#994)
2.1.2 / 2019-05-13
==================

**General**
* Fix freeze time regressions in 2.x
    * Make `/api/v1/[users,teams]/[me]/[solves,fails,awards]` endpoints load as admin so users can see their solves after freeze
    * Make `/api/v1/challenges/[id]/solves` only show solves before freeze time
        * Add the `?preview=true` GET parameter for admins to preview challenges solves as a user
* Team join attempts are now ratelimited

**Tests**
* More linting and autoformatting rules
    * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/**/*'`
    * Format Python with `black`: `black CTFd` and `black tests`
    * `make lint` and thus Travis now include the above commands as lint checks
* Travis now uses xenial instead of trusty.
2019-05-13 23:50:34 -04:00
Kevin Chung b7a19f74ff
Mark 2.1.1 (#982)
2.1.1 / 2019-05-04
==================

**General**
* Allow admins to hit `/api/v1/challenges` and `/api/v1/challenges/[id]` without having a team to fix challenge previews
* Fix rate-limiting of flag submission when using team mode
* Fixes some modal close buttons not working in the admin panel
* Fixes `populate.py` to assign captains to teams.

**Models**
* Added `Challenges.flags` relationship and moved the `Flags.challenge` relationship to a backref on Challenges
* Added `ondelete='CASCADE'` to most ForeignKeys in models allowing for deletions to remove associated data
    * `Hints` should be deleted when their Challenge is deleted
    * `Tags` should be deleted when their Challenge is deleted
    * `Flags` should be deleted when their Challenge is deleted
    * `ChallengeFiles` should be deleted when their Challenge is deleted
        * Deletion of the file itself is not handled by the model/database
    * `Awards` should be deleted when their user or team is deleted
    * `Unlocks` should be deleted when their user or team is deleted
    * `Tracking` should be deleted when their user or team is deleted
    * `Teams.captain_id` should be set to NULL when the captain user is deleted

**Exports**
* Force `db.create_all()` to happen for imports on `sqlite` or on failure to create missing tables
* Force `ctf_theme` to be set to `core` in imports in case a theme is missing from the import or the instance
* Fix imports/exports to emit and accept JSON properly under MariaDB
    * MariaDB does not properly understand JSON so it must accept strings instead of dicts
    * MariaDB outputs strings instead of JSON for its JSON type so the export serializer will attempt to cast output JSON strings to JSON objects

**Deployment**
* Run as root when using docker-compose
    * This is necessary to be able to write to the volumes mounted from the host
2019-05-04 19:49:39 -04:00
Kevin Chung c4e9b7037a
Reduce default gunicorn worker count to reduce memory usage (#968)
Drop the default worker count in `docker-entrypoint.sh` because the default memory usage was higher than it needed to be. If you need more workers you can still increase the values and set a `SECRET_KEY` as before.
2019-04-25 15:05:20 -04:00
Kevin Chung 069d4382e1
Mark 2.1.0 and update CHANGELOG (#967) 2019-04-24 20:33:17 -04:00
Kevin Chung 33367422a5
Mark 2.0.6 (#946)
2.0.6 / 2019-04-08
==================

**Security**
* Fixes an issue where user email addresses could be disclosed to non-admins

**General**
* Users/Teams set to hidden or banned are no longer visible by other users
    * This affects the API and the main user interface. This does not affect admins.
* Users without Teams can no longer view challenges when the CTF is in Team Mode
2019-04-08 07:57:40 -04:00
Kevin Chung 268ed85f60
Update CHANGELOG and bump version (#920)
* Bump version to 2.0.5
2019-03-23 01:26:46 -04:00
Kevin Chung 385d128d73
Mark 2.0.4 (#863) 2019-01-31 02:09:48 -05:00
Kevin Chung e70c985d73
Fix update_check() logic (#830)
* Fix update_check() logic so that we don't accidentally remove the link to updates
* Update CHANGELOG
2019-01-12 14:04:51 -05:00
Kevin Chung fed0366ac0
Mark 2.0.3 (#828)
* Mark 2.0.3
2019-01-12 10:53:25 -05:00
Kevin Chung f1d0221ee2
Mark 2.0.2 (#819)
* Mark 2.0.2
* [ci-skip] Fix grammar issues
2019-01-04 02:14:04 -05:00
Kevin Chung f3a97f7344
Mark 2.0.1 release (#796) 2018-12-09 15:47:56 -05:00
Kevin Chung 809e4df471
Update CHANGELOG (#775) 2018-12-02 11:54:48 -05:00
Kevin Chung fb0d8877cb
Update CHANGELOG (#770) 2018-11-30 22:41:19 -05:00
Kevin Chung 825190ba3a
Release 2.0.0 (#763)
* Update CHANGELOG
2018-11-28 22:30:32 -05:00
Kevin Chung 2bd310b5d9
Mark 2.0.0 (#757)
* Update CHANGELOG
* Update README
* Upgrade migration script to port visibility settings
* Add message about visibility settings and port over visibility settings
* Close #758
* Add tests for dynamic value challenges
2018-11-26 20:32:04 -05:00
Kevin Chung 310475d739
Finalize 2.0.0 (#747)
* Update CHANGELOG
* Default config.py values to load from envvars
2018-11-23 01:36:21 -05:00
Kevin Chung 4fde0368db
2.0.0 Supplementary Changes (#744)
* Clean up models a little
* Add 1.2.0 migration script
* Add 2.0.0 CHANGELOG
* Fix S3 uploader
* Update config.py to grab S3 settings from envvars
2018-11-22 11:05:47 -05:00
Kevin Chung 9cedf456b5
Marking 1.2.0 (#628)
* Mark 1.2.0.
* Update CHANGELOG.
* Add `window.challenge.data` object. 
* Don't raise a 500 when an endpoint can't be found but was POST'ed too. Mostly from scanners...
    * Add test for not found endpoints.
* Fixing issue with clearing logo on config update.
* Truncate scoreboard team name to 50 characters.
2018-05-04 17:24:02 -04:00
Kevin Chung 96a3d2c9bd
Marking 1.1.4 (#605)
* Marking 1.1.4
2018-04-05 14:24:27 -04:00
Kevin Chung 0efda80006
Marking 1.1.3 (#599)
* Version 1.1.3
2018-03-27 12:20:58 -04:00
Kevin Chung 643378bee9
Marking 1.1.2 (#559)
**General**

* Fixed page links on subdirectory deployments
* Fixed challenge updating on subdirectory deployments
* Fixed broken icon buttons on Safari

**Themes**

* Upgraded to Bootstrap 4.0.0
* Upgraded to jQuery 3.3.1
* Upgraded to FontAwesome 5.0.4
2018-01-23 10:19:17 -05:00
Kevin Chung 2e2d458f36
Mark 1.1.1 (#544)
* Marking 1.1.1
2018-01-08 01:56:06 -05:00
Kevin Chung fa9cb2498b
Guarantee ctf version (#538)
* Make sure ctf_version is set correctly
2017-12-22 16:22:31 -05:00
Kevin Chung 7e5e18fd6e
Only prompt for upgrades if there's a TTY & mark 1.1.0 (#537) 2017-12-22 13:10:40 -05:00
Kevin Chung f748d09b9c Update Changelog for recent changes 2017-12-20 00:18:02 -05:00
Kevin Chung 3af98b17d5
Version 1.1 CTFd (#514)
* Bootstrap v4 (#490)
* Upgrading original theme to use Bootstrap v4 and overall improve use of utility classes
* Fixing graph issues. Colors per team & cleaner hover
* The solves tab now shows relative time instead of absolute time
* Redesign admin theme
* Updating modals and changing form name from desc to description
* Moving CSS config from Pages to Config page
* Adding IP address count to statistics
* Move control of certain modals (files, flags, tags, hints) to challenges page
* Expanding size of config page
* Combining statistics and graphs pages
* Moving percentage solved to the statistics page instead of the admin challenges page

* Rename Keys.key_type to Keys.type (#459) (#478)

* Rename keys.key_type to keys.type (#459)
* Fixing previous migration to not be worried about key_type v type

* Fixing loading of challenge type plugins

* Switching from Handlebars to Nunjucks (#491)

* Switching from Handlebars to Nunjucks
* Allow admins to unlock hints before CTF begins and test that this is not allowed for regular users

* Authed only (#492)

* Adding authed_only decorator and adding next to url_for

* Adding a basic preview to hints (#494)

* Hints have a preview now for creating and updating hints. HTML and markdown are still allowed.

* Ezq (#495)

* Adding ezq as a simple wrapper around bootstrap modals

* Use tabs not spaces and remove gray background on inputs

* Adding title & draft to Pages. Making page preview open a new tab (#497)

* Adding title & draft to Pages.
* Making page preview open a new tab instead of render in the existing tab
* Draft pages cannot be seen without a preview

* Update check (#499)

* Add update_check function
* Notify user that a CTFd update is available in the admin panel
* Adding update_check tests

* Ratelimit (#500)

* Implementing a ratelimit function 
* Fix error page formatting
* Add rate limiting tests
* Rate limit authentication functions and rate limit admin send email function

* Load user solves before we load challenges to avoid unstyled buttons (#502)

* Add a challenge preview (#503)

* Adding a challenge preview to the admin panel
* Change /admin/chals/<int:chalid> to /admin/chal/<int:chalid>

* Adding codecov (#504)

* Test coverage at https://codecov.io/gh/CTFd/CTFd

* Sendmail improvements (#505)

* Add get_smtp timeout, add sendmail error messages
* Adding more error handling to sendmail

* Adding Flask-Script (#507)

* Pause ctf (#508)

* Implement CTF pausing
* Test CTF pausing

* Fix loading challenges for users (#510)

* Fix loading challenges for users
* Temporarily switch themes in test

* Pause help text (#509)

* Adding pause help text

* Pages authed (#511)

* Adding authentication options to pages
* Adding tests for accessing pages while draft & auth_required

* Merging master into 1.1 (#513)

* Name the core theme and remove the original theme
2017-12-11 06:42:07 -05:00
Kevin Chung b4f29e1450 Update CHANGELOG with missing changes 2017-10-25 16:01:54 -04:00
Kevin Chung c1895ef554 Marking 1.0.5 (#429)
* Update changelog
* Marking 1.0.5
2017-10-25 15:36:41 -04:00
Kevin Chung 50ad759a19 Marking 1.0.4 2017-09-09 02:35:06 -04:00
Kevin Chung dea59a1bc8 Updating CHANGELOG 2017-07-01 14:18:23 -04:00
Kevin Chung 935027c55d Marking 1.0.0 (#196)
* Use <int:xxx> in routes to prevent some errors 500 (#192)

* Use first_or_404() to prevent some errors 500 (#193)

* Add a populating script for awards. (#191)

* Creating upload_file util

* Marking 1.0.0 in __init__ and starting database migrations

* Upgrading some more HTML

* Adding CHANGELOG.md
2017-01-24 23:06:16 -05:00