Releases: CTFd/CTFd
Releases · CTFd/CTFd
3.7.0
3.7.0 / 2024-02-26
General
- Add ability for users to generate social share links after solving a challenge
- After solving a challenge users can click a "share" button which can generate Twitter, Facebook, LinkedIn links
- Add Scoreboard Brackets feature to have multiple sub-scoreboards within the main scoreboard
- Admins can add a bracket for users/teams which must be selected during the registration process. Within the scoreboard, accounts can be organized by bracket in addition to seeing the full list
- Calculate a files sha1sum on upload for future local change detection purposes
- Allow API clients (CTFd, ctfcli, etc) to control the location of an uploaded file
- Allow challenge CSVs to contain JSON in the hints and flags columns so that admins can import more complex data
- Fix issue where hints could not be unlocked during freeze time
- Use the CTF name to be the default index page name
API
- Add
bracket_name
andbracket_id
to/api/v1/scoreboard
- Add
sha1sum
toGET /api/v1/files
- Add
location
toPOST /api/v1/files
Plugins
- Add ability to control the link target for a page (i.e. open in a new tab) via
register_user_page_menu_bar()
- Add
uploaders.open()
to open a file from an uploader - Adds the optional path field to the
Uploaders.upload()
method to control where files get uploaded to
Themes
- Allow customization of the
<meta>
tag & page title via template files - Exposes
unix_time_to_utc()
as a Jinja filter
Admin Panel
- Migrate Admin Panel from webpack to Vite
- Adds Alpine to Admin Panel for plugins to use to add interactivity
Deployment
- Update base image to
python:3.11-slim-bookworm
- Added prefix option to S3 uploader under
AWS_S3_CUSTOM_PREFIX
- This allows CTFd to store files under a folder of an S3 bucket
- Raise exception if a built-in config is defined in the extra config section in config.ini
- CTFd will wait for an import to complete before starting
- This tries to address issues where starting CTFd during an import can interfere with the import
- Add Pillow version 10.1.0 as a dependency
- Update boto3 version to 1.34.39
- Update isort version to 5.13.2
- Update dataset version to 1.6.2
3.6.1
3.6.1 / 2023-12-12
Security
- Fix an issue where users could bypass Score Visibility and see a user's score/place when not allowed by Admins
General
- Add Slovak, Japanese, Brazillian Portugese translations
- Update Chinese translation
- Fix Dynamic challenges not showing the Next Challenge
API
- Add
email
as afield
to query to/api/v1/users
and/api/v1/teams
to allow searching via email address for Admins - Accept multipart/form-data with token auth for file upload to
/api/v1/files
- Always allow a user/team to see their own score when querying their own self endpoints regardless of Score Visibility
- The rationale for this is that a user can always calculate their score regardless of any setting because they can simply sum all of their challenges
Admin Panel
- Fix an issue where polymorphic tables (i.e. solves) could not be CSV exported correctly
Themes
- When using core-beta,
meta
tags can now be inserted into pages fromrender_template()
calls
Deployment
- Fix an issue where S3 uploads would not work if the server's timezone was not set to UTC
- Update gevent dependency to
23.9.1
3.6.0
3.6.0 / 2023-08-21
General
- Translations support for Spanish, Polish, German, Chinese
- If you wish to fix or maintain a language translation please join at CTFd's public POEditor page.
- Add a total user registration limit option
- Dynamic value challenges can now choose between linear and logarithmic decay functions
- Free hints are now visible by unauthenticated users if challenges are visible by unauthenticated users
- Fix issue where a custom field named affiliation or website prevented registration
- No longer special case "Affiliation" or "Website" as custom field titles. Previously custom fields with those titles would set the user's affiliation or website but this behavior has been removed.
Admin Panel
- Challenge Preview has been improved to support arbitrary custom themes
- Long flags in the Admin Panel are now truncated but can be expanded and copied
- Add UI to mark incorrect submissions as correct
- Add the
discard
type for submissions - Add
PATCH /api/v1/submissions/[submission_id]
to mark submissions as correct
- Add the
- Add section in the Config Panel to configure
HTML_SANITIZATION
- Setting
HTML_SANITIZATION
to true inconfig.ini
cannot be disabled via the Admin Panel
- Setting
- Add wildcard for email whitelisting
Deployment
- Add new envvar
SKIP_DB_PING
to instruct the CTFd Docker image to not test if the database server is available - Add new config
AWS_S3_ADDRESSING_STYLE
- Support selecting the S3 addressing style. It defaults to "auto" as when it's not set, but can also be set to
virtual
orpath
- Support selecting the S3 addressing style. It defaults to "auto" as when it's not set, but can also be set to
- Add new config
AWS_S3_CUSTOM_DOMAIN
which specifies a domain that replaces the default one in presigned download URLs- Required for certain S3 implementations
- Flask and Werkzeug have been upgraded to v2.0.3. Other dependencies have been updated for compatability.
- SQLAlchemy has been updated to v1.4.
- PyMySQL has been upgraded to v1.0.2.
- The
flask
cli tool is now offered as an alternative to themanage.py
script. - gzip compression is now enabled in the provided nginx configuration
API
- API tokens now have a description field
- API tokens now start with a
ctfd_
prefix to make them easier to identify GET /api/v1/hints/[hint_id]
will now return hint information for free hints for unauthenticated users if challenges are visible
Themes
- core-beta is now provided in all CTFd instances
- core-beta is the default theme during setup
3.5.3
3.5.2
3.5.2 / 2023-05-01
General
- Generate cachable S3 URLs by rounding time down to the previous hour to generate a consistent URL
- Change email whitelist error message to not include the list of allowed domains
- Clean up the language for confirming the password on team password change
- Fix issue where dynamic challenges break if the decay is 0 and prevent users from adding a decay limit of 0 to dynamic value challenges
Admin Panel
- Adds support for admins to control
robots.txt
- Clean up the aesthetics for the 'Pause CTF' and 'View After CTF' configs
- Replaced TLS and SSL checkbox text to match the defaults used by Mozilla Thunderbird to eliminate confusion when configuring SMTP
Deployment
- Slim down Docker image by removing several dependencies not needed for production usage
- The image size has been reduced from 648MB to 398MB
- In the Docker image run CTFd in a virtual environment located at
/opt/venv
- Add freezegun to application dependencies
- Bump dependencies for pybluemonday, redis, SQLAlchemy-Utils, python-geoacumen-city
- Fix race conditions on cache healthcheck
- Fix situations where numeric config items in config.ini could cause CTFd to not start
3.5.1
3.5.1 / 2023-01-23
General
- The public scoreboard page is no longer shown to users if account visibility is disabled
- Teams created by admins using the normal team creation flow are now hidden by default
- Redirect users to the team creation page if they access a certain pages before the CTF starts
- Added a notice on the Challenges page to remind Admins if they are in Admins Only mode
- Fixed an issue where users couldn't login to their team even though they were already on the team
- Fixed an issue with scoreboard tie breaking when an award results in a tie
- Fixed the order of solves, fails, and awards to always be in chronological ordering (latest first).
- Fixed an issue where certain custom fields could not be submitted
Admin Panel
- Improved the rendering of Admin Panel tables on mobile devices
- Clarified the behavior of Score Visibility with respect to Account Visibility in the Admin Panel help text
- Added user id and user email fields to the user mode scoreboard CSV export
- Add CSV export for
teams+members+fields
which is teams with Custom Field entries and their team members with Custom Field entries - The import process will now catch all exceptions in the import process to report them in the Admin Panel
- Fixed issue where
field_entries
could not be imported under MariaDB - Fixed issue where
config
entries sometimes would be recreated for some reason causing an import to fail - Fixed issue with Firefox caching checkboxes by adding
autocomplete='off'
to Admin Panel pages - Fixed issue where Next selection for a challenge wouldn't always load in Admin Panel
API
- Improve response time of
/api/v1/challenges
and/api/v1/challenges/[challenge_id]/solves
by caching the solve count data for users and challenges - Add
HEAD /api/v1/notifications
to get a count of notifications that have happened.- This also includes a
since_id
parameter to allow for a notification cursor. - Unread notification count can now be tracked by themes that track which notifications a user has read
- This also includes a
- Add
since_id
toGET /api/v1/notifications
to get Notifications that have happened since a specific ID
Deployment
- Imports have been disabled when running with a SQLite database backend
- See #2131
- Added
/healthcheck
endpoint to check if CTFd is ready - There are now ARM Docker images for OSS CTFd
- Bump dependencies for passlib, bcrypt, requests, gunicorn, gevent, python-geoacumen-city, cmarkgfm
- Properly load
SAFE_MODE
config from environment variable - The
AWS_S3_REGION
config has been added to allow specifying an S3 region. The default isus-east-1
- Add individual DATABASE config keys as an alternative to
DATABASE_URL
DATABASE_PROTOCOL
: SQLAlchemy DB protocol (+ driver, optionally)DATABASE_USER
: Username to access DB server withDATABASE_PASSWORD
: Password to access DB server withDATABASE_HOST
: Hostname of the DB server to accessDATABASE_PORT
: Port of the DB server to accessDATABASE_NAME
: Name of the database to use
- Add individual REDIS config keys as an alternative to
REDIS_URL
REDIS_PROTOCOL
: Protocol to access Redis server with (either redis or rediss)REDIS_USER
: Username to access Redis server withREDIS_PASSWORD
: Password to access Redis server withREDIS_HOST
: Hostname of the Redis server to accessREDIS_PORT
: Port of the Redis server to accessREDIS_DB
: Numeric ID of the database to access
Plugins
- Adds support for
config.json
to have multiple paths to add to the Plugins dropdown in the Admin Panel - Plugins and their migrations now have access to the
get_all_tables
andget_columns_for_table
functions - Email sending functions have now been seperated into classes that can be customized via plugins.
- Add
CTFd.utils.email.providers.EmailProvider
- Add
CTFd.utils.email.providers.mailgun.MailgunEmailProvider
- Add
CTFd.utils.email.providers.smtp.SMTPEmailProvider
- Deprecate
CTFd.utils.email.mailgun.sendmail
- Deprecate
CTFd.utils.email.smtp.sendmail
- Add
Themes
- The beta interface
Assets.manifest_css
has been removed event-source-polyfill
is now pinned to 1.0.19.- See #2159
- Note that we will not be using this polyfill starting with the
core-beta
theme.
- Add autofocus to text fields on authentication pages
3.5.0
3.5.0 / 2022-05-09
General
- Add a next challenge recommendation to challenges
- Add support for only viewing hints after unlocking another hint
- Add size checking and recommendation for images uploaded during setup
Admin Panel
- Imports now happen in the background so that admins can watch the status of the import
- Add progress tracking to backup/export importing
- Add
GET /admin/import
to see status of import - The public user facing portion of CTFd is now disabled during imports
- Fix issue where custom field entries for Users and Teams would be misaligned in the scoreboard CSV export
- Show admins the email server error message when email sending fails
- Fix issue where the current theme cannot be found in list of themes
- Fix page preview so that it accounts for the provided format
- Add links from User/Team Profile IP addresses to a User IP address search page
- Add city geolocation to Team Profile IP addresses
API
- Add the
count
meta field to the following endpoints:/api/v1/users/me/solves
/api/v1/users/me/fails
/api/v1/users/me/awards
/api/v1/teams/me/awards
/api/v1/users/[user_id]/solves
/api/v1/users/[user_id]/fails
/api/v1/users/[user_id]/awards
/api/v1/teams/[team_id]/solves
/api/v1/teams/[team_id]/awards
- Improve speed of
/api/v1/teams/me/fails
- Improve speed of
/api/v1/teams/[team_id]/fails
- Improve speed of
/api/v1/users/me/fails
- Improve speed of
/api/v1/users/[user_id]/fails
Deployment
- Use Python 3.9 as the default Python version
- Prevent any possible usage of an already existing session ID by checking for duplicates during during session ID generation
- No longer install
python3-dev
in Dockerfile - docker-compose.yml now uses
nginx:stable
as the image for nginx
Plugins
CTFd._internal.challenge.render
andCTFd._internal.challenge.renderer
in theview.js
Challenge type file has been deprecated. Instead Challenge plugins should refer to thechallenge.html
attribute provided by the API. Essentially CTFd is moving to having markdown & HTML rendered by the server instead of rendering on the client.
Themes
- Create the
core-beta
theme and begin documenting the creation of themes using Vite - Add
userName
anduserEmail
to the CTFd init object inbase.html
for easier integration with other JavaScript code - Add
teamId
andteamName
to the CTFd init object inbase.html
for easier integration with other JavaScript code - Adds the
Assets
constant to access front end assets from Jinja templates - Adds a
views.themes_beta
route to avoid the.dev
/.min
extension being added automatically to frontend asset urls
Miscellaneous
- Fix double logging in
log()
function - Add
--delete_import_on_finish
topython manage.py import_ctf
- Fix issue where
field_entries
table could not be imported when moving between MySQL and MariaDB
3.4.3
3.4.2
3.4.1
3.4.1 / 2022-02-19
General
- Make session cookies persist in the browser after close
- Fix issue where all-numeric registration codes wouldn't work
- Fix issue where a user's session isn't cleared properly after they are deleted by an admin
- Fix issue where CTF end time couldn't be set during setup
API
- Improved speed of the
/api/v1/challenges/[challenge_id]/solves
endpoint - Document API authentication and
Content-Type
header requirement - Add nested
UserSchema
andTeamSchema
toSubmissionSchema
for easier access to account name
Admin Panel
- Improve CSV import error reporting and validation
- Fix non-clickable checkbox label in user creation form in Admin Panel
- Allow submissions per minute ratelimit to be configurable in Admin Panel
- Add a link in the Pages Editor to the Page Variables documentation page
Themes
- Fix issue where invalid
theme_settings
can cause broken frontend - Replace
node-sass
withsass
and upgradesass-loader
Deployment
- Serve all assets from CTFd regardless of internet availability (i.e. fonts and font-awesome)
- Fix regression in
REVERSE_PROXY
to allow comma seperated integers - Bump
flask-restx
to 0.5.1 - Bump
pybluemonday
to 0.0.9 - Added support for S3 signature version 4 authentication to support alternative S3 buckets (Google Cloud Storage, DigitalOcean Spaces, etc)
Miscellaneous
- Add a Github Actions job to publish Docker images to Dockerhub and ghcr