Tags: danielvazana/CTFd
Tags
Mark 3.6.0 (CTFd#2380) # 3.6.0 / 2023-08-21 **General** - Translations support for Spanish, Polish, German, Chinese - If you wish to fix or maintain a language translation please join at CTFd's public [POEditor page](https://poeditor.com/join/project/p5jhdcrlm7). - Add a total user registration limit option - Dynamic value challenges can now choose between linear and logarithmic decay functions - Free hints are now visible by unauthenticated users if challenges are visible by unauthenticated users - Fix issue where a custom field named affiliation or website prevented registration - No longer special case "Affiliation" or "Website" as custom field titles. Previously custom fields with those titles would set the user's affiliation or website but this behavior has been removed. **Admin Panel** - Challenge Preview has been improved to support arbitrary custom themes - Long flags in the Admin Panel are now truncated but can be expanded and copied - Add UI to mark incorrect submissions as correct - Add the `discard` type for submissions - Add `PATCH /api/v1/submissions/[submission_id]` to mark submissions as correct - Add section in the Config Panel to configure `HTML_SANITIZATION` - Setting `HTML_SANITIZATION` to true in `config.ini` cannot be disabled via the Admin Panel - Add wildcard for email whitelisting **Deployment** - Add new envvar `SKIP_DB_PING` to instruct the CTFd Docker image to not test if the database server is available - Add new config `AWS_S3_ADDRESSING_STYLE` - Support selecting the [S3 addressing style](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-bucket-intro.html#access-bucket-console-ex). It defaults to "auto" as when it's not set, but can also be set to `virtual` or `path` - Add new config `AWS_S3_CUSTOM_DOMAIN` which specifies a domain that replaces the default one in presigned download URLs - Required for certain S3 implementations - Flask and Werkzeug have been upgraded to v2.0.3. Other dependencies have been updated for compatability. - SQLAlchemy has been updated to v1.4. - PyMySQL has been upgraded to v1.0.2. - The `flask` cli tool is now offered as an alternative to the `manage.py` script. - gzip compression is now enabled in the provided nginx configuration **API** - API tokens now have a description field - API tokens now start with a `ctfd_` prefix to make them easier to identify - `GET /api/v1/hints/[hint_id]` will now return hint information for free hints for unauthenticated users if challenges are visible **Themes** - core-beta is now provided in all CTFd instances - core-beta is the default theme during setup
Mark 3.5.2 (CTFd#2295) # 3.5.2 / 2023-05-01 **General** - Generate cachable S3 URLs by rounding time down to the previous hour to generate a consistent URL - Change email whitelist error message to not include the list of allowed domains - Clean up the language for confirming the password on team password change - Fix issue where dynamic challenges break if the decay is 0 and prevent users from adding a decay limit of 0 to dynamic value challenges **Admin Panel** - Adds support for admins to control `robots.txt` - Clean up the aesthetics for the 'Pause CTF' and 'View After CTF' configs - Replaced TLS and SSL checkbox text to match the defaults used by Mozilla Thunderbird to eliminate confusion when configuring SMTP **Deployment** - Slim down Docker image by removing several dependencies not needed for production usage - The image size has been reduced from 648MB to 398MB - In the Docker image run CTFd in a virtual environment located at `/opt/venv` - Add freezegun to application dependencies - Bump dependencies for pybluemonday, redis, SQLAlchemy-Utils, python-geoacumen-city - Fix race conditions on cache healthcheck - Fix situations where numeric config items in config.ini could cause CTFd to not start
Mark 3.5.1 (CTFd#2246) # 3.5.1 / 2023-01-23 **General** - The public scoreboard page is no longer shown to users if account visibility is disabled - Teams created by admins using the normal team creation flow are now hidden by default - Redirect users to the team creation page if they access a certain pages before the CTF starts - Added a notice on the Challenges page to remind Admins if they are in Admins Only mode - Fixed an issue where users couldn't login to their team even though they were already on the team - Fixed an issue with scoreboard tie breaking when an award results in a tie - Fixed the order of solves, fails, and awards to always be in chronological ordering (latest first). - Fixed an issue where certain custom fie 8000 lds could not be submitted **Admin Panel** - Improved the rendering of Admin Panel tables on mobile devices - Clarified the behavior of Score Visibility with respect to Account Visibility in the Admin Panel help text - Added user id and user email fields to the user mode scoreboard CSV export - Add CSV export for `teams+members+fields` which is teams with Custom Field entries and their team members with Custom Field entries - The import process will now catch all exceptions in the import process to report them in the Admin Panel - Fixed issue where `field_entries` could not be imported under MariaDB - Fixed issue where `config` entries sometimes would be recreated for some reason causing an import to fail - Fixed issue with Firefox caching checkboxes by adding `autocomplete='off'` to Admin Panel pages - Fixed issue where Next selection for a challenge wouldn't always load in Admin Panel **API** - Improve response time of `/api/v1/challenges` and `/api/v1/challenges/[challenge_id]/solves` by caching the solve count data for users and challenges - Add `HEAD /api/v1/notifications` to get a count of notifications that have happened. - This also includes a `since_id` parameter to allow for a notification cursor. - Unread notification count can now be tracked by themes that track which notifications a user has read - Add `since_id` to `GET /api/v1/notifications` to get Notifications that have happened since a specific ID **Deployment** - Imports have been disabled when running with a SQLite database backend - See CTFd#2131 - Added `/healthcheck` endpoint to check if CTFd is ready - There are now ARM Docker images for OSS CTFd - Bump dependencies for passlib, bcrypt, requests, gunicorn, gevent, python-geoacumen-city - Properly load `SAFE_MODE` config from environment variable - The `AWS_S3_REGION` config has been added to allow specifying an S3 region. The default is `us-east-1` - Add individual DATABASE config keys as an alternative to `DATABASE_URL` - `DATABASE_PROTOCOL`: SQLAlchemy DB protocol (+ driver, optionally) - `DATABASE_USER`: Username to access DB server with - `DATABASE_PASSWORD`: Password to access DB server with - `DATABASE_HOST`: Hostname of the DB server to access - `DATABASE_PORT`: Port of the DB server to access - `DATABASE_NAME`: Name of the database to use - Add individual REDIS config keys as an alternative to `REDIS_URL` - `REDIS_PROTOCOL`: Protocol to access Redis server with (either redis or rediss) - `REDIS_USER`: Username to access Redis server with - `REDIS_PASSWORD`: Password to access Redis server with - `REDIS_HOST`: Hostname of the Redis server to access - `REDIS_PORT`: Port of the Redis server to access - `REDIS_DB`: Numeric ID of the database to access **Plugins** - Adds support for `config.json` to have multiple paths to add to the Plugins dropdown in the Admin Panel - Plugins and their migrations now have access to the `get_all_tables` and `get_columns_for_table` functions - Email sending functions have now been seperated into classes that can be customized via plugins. - Add `CTFd.utils.email.providers.EmailProvider` - Add `CTFd.utils.email.providers.mailgun.MailgunEmailProvider` - Add `CTFd.utils.email.providers.smtp.SMTPEmailProvider` - Deprecate `CTFd.utils.email.mailgun.sendmail` - Deprecate `CTFd.utils.email.smtp.sendmail` **Themes** - The beta interface `Assets.manifest_css` has been removed - `event-source-polyfill` is now pinned to 1.0.19. - See CTFd#2159 - Note that we will not be using this polyfill starting with the `core-beta` theme. - Add autofocus to text fields on authentication pages
Set 3.5.0 release date (CTFd#2116) # 3.5.0 / 2022-05-09 **General** - Add a next challenge recommendation to challenges - Add support for only viewing hints after unlocking another hint - Add size checking and recommendation for images uploaded during setup **Admin Panel** - Imports now happen in the background so that admins can watch the status of the import - Add progress tracking to backup/export importing - Add `GET /admin/import` to see status of import - The public user facing portion of CTFd is now disabled during imports - Fix issue where custom field entries for Users and Teams would be misaligned in the scoreboard CSV export - Show admins the email server error message when email sending fails - Fix issue where the current theme cannot be found in list of themes - Fix page preview so that it accounts for the provided format - Add links from User/Team Profile IP addresses to a User IP address search page - Add city geolocation to Team Profile IP addresses **API** - Add the `count` meta field to the following endpoints: - `/api/v1/users/me/solves` - `/api/v1/users/me/fails` - `/api/v1/users/me/awards` - `/api/v1/teams/me/awards` - `/api/v1/users/[user_id]/solves` - `/api/v1/users/[user_id]/fails` - `/api/v1/users/[user_id]/awards` - `/api/v1/teams/[team_id]/solves` - `/api/v1/teams/[team_id]/awards` - Improve speed of `/api/v1/teams/me/fails` - Improve speed of `/api/v1/teams/[team_id]/fails` - Improve speed of `/api/v1/users/me/fails` - Improve speed of `/api/v1/users/[user_id]/fails` **Deployment** - Use Python 3.9 as the default Python version - Prevent any possible usage of an already existing session ID by checking for duplicates during during session ID generation - No longer install `python3-dev` in Dockerfile - docker-compose.yml now uses `nginx:stable` as the image for nginx **Plugins** - `CTFd._internal.challenge.render` and `CTFd._internal.challenge.renderer` in the `view.js` Challenge type file has been deprecated. Instead Challenge plugins should refer to the `challenge.html` attribute provided by the API. Essentially CTFd is moving to having markdown & HTML rendered by the server instead of rendering on the client. **Themes** - Create the [`core-beta` theme](https://github.com/CTFd/core-beta) and begin documenting the creation of themes using Vite - Add `userName` and `userEmail` to the CTFd init object in `base.html` for easier integration with other JavaScript code - Add `teamId` and `teamName` to the CTFd init object in `base.html` for easier integration with other JavaScript code - Adds the `Assets` constant to access front end assets from Jinja templates - Adds a `views.themes_beta` route to avoid the `.dev`/`.min` extension being added automatically to frontend asset urls **Miscellaneous** - Fix double logging in `log()` function - Add `--delete_import_on_finish` to `python manage.py import_ctf` - Fix issue where `field_entries` table could not be imported when moving between MySQL and MariaDB
Mark 3.4.3 (CTFd#2063) # 3.4.3 / 2022-03-07 **Security** - Bump cmarkgfm to 0.8.0 to resolve CVE-2022-24724. Copied entry from 3.4.2 since 3.4.2 introduced a bug that prevented writing raw HTML. **General** - Fix issue where raw HTML would not be rendered in markdown
Mark 3.4.1 (CTFd#2055) # 3.4.1 / 2022-02-19 **General** - Make session cookies persist in the browser after close - Fix issue where all-numeric registration codes wouldn't work - Fix issue where a user's session isn't cleared properly after they are deleted by an admin - Fix issue where CTF end time couldn't be set during setup **API** - Improved speed of the `/api/v1/challenges/[challenge_id]/solves` endpoint - Document API authentication and `Content-Type` header requirement - Add nested `UserSchema` and `TeamSchema` to `SubmissionSchema` for easier access to account name **Admin Panel** - Improve CSV import error reporting and validation - Fix non-clickable checkbox label in user creation form in Admin Panel - Allow submissions per minute ratelimit to be configurable in Admin Panel - Add a link in the Pages Editor to the [Page Variables documentation page](https://docs.ctfd.io/docs/pages/variables/) **Themes** - Fix issue where invalid `theme_settings` can cause broken frontend - Replace `node-sass` with `sass` and upgrade `sass-loader` **Deployment** - Serve all assets from CTFd regardless of internet availability (i.e. fonts and font-awesome) - Fix regression in `REVERSE_PROXY` to allow comma seperated integers - Bump `flask-restx` to 0.5.1 - Bump `pybluemonday` to 0.0.9 - Added support for S3 signature version 4 authentication to support alternative S3 buckets (Google Cloud Storage, DigitalOcean Spaces, etc) **Miscellaneous** - Add a Github Actions job to publish Docker images to Dockerhub and ghcr
Mark v3.4.0 (CTFd#1976) # 3.4.0 / 2021-08-11 **General** - Added the ability to have Challenge Topics - Challenge Topics are small topic strings which are only visible to Admins - They should denote what topics a given challenge involves - Added `connection_info` to Challenges to allow Admins to more easily specify the connection info for a challenge - Added ability to import CSVs of users, teams, and challenges - Added ability to limit the total number of teams - Pages now have access to variables `ctf_name`, `ctf_description`, `ctf_start`, `ctf_end`, `ctf_freeze`. (e.g. `{{ ctf_name }}`) - IP Addresses in the Admin Panel will now show the city of the IP address as well as the country - Make User Mode it's own dedicated tab in the setup flow and more clearly explain what each user mode does - Added the ability to have a registration password - Does not currently apply to SSO/auth provider or API based account creation - Prevent users from participating with challenges if their profile is not complete (i.e. haven't filled out all required custom fields) - Fixed an issue where admins couldn't see some challenges in the add requirements interface - Fixed an issue where a challenge couldn't be accessed beacuse it had prerequisites on a deleted challenge - Fixed an issue where User profiles could not be loaded in the Admin Panel due to missing/invalid Tracking IP addresses - Fixed an issue where users with authentication provider accoutns would get an error when attempting to login - Fixed an issue where MajorLeagueCyber config from config.ini was not being respected **API** - Added `connection_info` field to `/api/v1/challenges/[challenge_id]` - Added `/api/v1/topics` for admins to create/delete topics - Added `/api/v1/challenges/[challenge_id]/topics` for admins to list the topics on a challenge - `/api/v1/challenges` will now sort by ID as value to better standardize API output with different databases - `/api/v1/configs` will now provide an error message when provided Config values are too long - `PATCH /api/v1/teams/[team_id]` will now only let team members be team captain - No security issues here, it would just be invalid data. **Themes** - CTFd now has the `THEME_FALLBACK` option enabled by default. This allows users to provide incomplete themes. Missing theme files will be provided from the built-in core theme - CTFd will now pass the title of a Page over to the template when rendering - No longer show the token type in user settings - Added `window.BETA_sortChallenges` to `/challenges` so that theme code can more easily define how to sort challenges - Note that this functionality is beta because we expect to revamp the entire themes system - Added `window.updateChallengeBoard` to `/challenges` so that theme code can more easily define when to update challenges - Note that this functionality is beta because we expect to revamp the entire themes system - Added `window.updateScoreboard` to `/scoreboard` so that theme code can more easily define when to update the scoreboard - Note that this functionality is beta because we expect to revamp the entire themes system **Plugins** - Added `Challenges.plugin_class` to the Challenges model to access the challenge type plugin class from the Model - Allows templates to access the plugin class more easily - Allows plugins to access the plugin class without having to load the class explicitly **Admin Panel** - Reworked the Challenge Requirements UI - Officially support the concept of anonymized challenges if prerequisites aren't met - Added ability for Pages to be written in direct HTML instead of Markdown - Pages now have access to variables `ctf_name`, `ctf_description`, `ctf_start`, `ctf_end`, `ctf_freeze` - `ctf_start`, `ctf_end`, `ctf_freeze` are represented as ISO8601 timestamps - Make it easier to change the user mode without having to delete all accounts. Instead we will only delete all submissions. - When in team mode, user pages will now show their team's score instead of their own personal score - Show a team member's individual score on their team's page - Made the challenge creation form wider **Deployment** - The `THEME_FALLBACK` config is now set to true by default - Replace installation and usage of `mysqladmin` (specifically `mysqladmin ping`) with a custom Python script - Bump version of `pybluemonday` to 0.0.7 (fixes HTML sanitization bypasses and allows comm 53A0 ents in HTML) - Bump `pydantic` from 1.5.1 to 1.6.2 **Miscellaneous** - Make `.dockerignore` ignore `node_modules` in any subdirectory - Added `solves` and `solved_by_me` fields to the Swagger documentation for Challenges - Dynamic challenges will now take their initial valuation from the `inital` keyword instead of the previous `value` keyword. - This allows ctfcli to manage dynamic challenges. See CTFd#1875 - Added a timestamp to a CTFd export's filename - Deleting uploads under the Filesystem upload provider will now delete the parent folder as well as the target file
PreviousNext