3.7.0

3.7.0 / 2024-02-26

General

• Add ability for users to generate social share links after solving a challenge
  • After solving a challenge users can click a "share" button which can generate Twitter, Facebook, LinkedIn links
• Add Scoreboard Brackets feature to have multiple sub-scoreboards within the main scoreboard
  • Admins can add a bracket for users/teams which must be selected during the registration process. Within the scoreboard, accounts can be organized by bracket in addition to seeing the full list
• Calculate a files sha1sum on upload for future local change detection purposes
• Allow API clients (CTFd, ctfcli, etc) to control the location of an uploaded file
• Allow challenge CSVs to contain JSON in the hints and flags columns so that admins can import more complex data
• Fix issue where hints could not be unlocked during freeze time
• Use the CTF name to be the default index page name

API

• Add bracket_name and bracket_id to /api/v1/scoreboard
• Add sha1sum to GET /api/v1/files
• Add location to POST /api/v1/files

Plugins

• Add ability to control the link target for a page (i.e. open in a new tab) via register_user_page_menu_bar()
• Add uploaders.open() to open a file from an uploader
• Adds the optional path field to the Uploaders.upload() method to control where files get uploaded to

Themes

• Allow customization of the <meta> tag & page title via template files
• Exposes unix_time_to_utc() as a Jinja filter

Admin Panel

• Migrate Admin Panel from webpack to Vite
• Adds Alpine to Admin Panel for plugins to use to add interactivity

Deployment

• Update base image to python:3.11-slim-bookworm
• Added prefix option to S3 uploader under AWS_S3_CUSTOM_PREFIX
  • This allows CTFd to store files under a folder of an S3 bucket
• Raise exception if a built-in config is defined in the extra config section in config.ini
• CTFd will wait for an import to complete before starting
  • This tries to address issues where starting CTFd during an import can interfere with the import
• Add Pillow version 10.1.0 as a dependency
• Update boto3 version to 1.34.39
• Update isort version to 5.13.2
• Update dataset version to 1.6.2

3.6.1

3.6.1 / 2023-12-12

Security

• Fix an issue where users could bypass Score Visibility and see a user's score/place when not allowed by Admins

General

• Add Slovak, Japanese, Brazillian Portugese translations
• Update Chinese translation
• Fix Dynamic challenges not showing the Next Challenge

API

• Add email as a field to query to /api/v1/users and /api/v1/teams to allow searching via email address for Admins
• Accept multipart/form-data with token auth for file upload to /api/v1/files
• Always allow a user/team to see their own score when querying their own self endpoints regardless of Score Visibility
  • The rationale for this is that a user can always calculate their score regardless of any setting because they can simply sum all of their challenges

Admin Panel

• Fix an issue where polymorphic tables (i.e. solves) could not be CSV exported correctly

Themes

• When using core-beta, meta tags can now be inserted into pages from render_template() calls

Deployment

• Fix an issue where S3 uploads would not work if the server's timezone was not set to UTC
• Update gevent dependency to 23.9.1

3.6.0

3.6.0 / 2023-08-21

General

• Translations support for Spanish, Polish, German, Chinese
  • If you wish to fix or maintain a language translation please join at CTFd's public POEditor page.
• Add a total user registration limit option
• Dynamic value challenges can now choose between linear and logarithmic decay functions
• Free hints are now visible by unauthenticated users if challenges are visible by unauthenticated users
• Fix issue where a custom field named affiliation or website prevented registration
  • No longer special case "Affiliation" or "Website" as custom field titles. Previously custom fields with those titles would set the user's affiliation or website but this behavior has been removed.

Admin Panel

• Challenge Preview has been improved to support arbitrary custom themes
• Long flags in the Admin Panel are now truncated but can be expanded and copied
• Add UI to mark incorrect submissions as correct
  • Add the discard type for submissions
  • Add PATCH /api/v1/submissions/[submission_id] to mark submissions as correct
• Add section in the Config Panel to configure HTML_SANITIZATION
  • Setting HTML_SANITIZATION to true in config.ini cannot be disabled via the Admin Panel
• Add wildcard for email whitelisting

Deployment

• Add new envvar SKIP_DB_PING to instruct the CTFd Docker image to not test if the database server is available
• Add new config AWS_S3_ADDRESSING_STYLE
  • Support selecting the S3 addressing style. It defaults to "auto" as when it's not set, but can also be set to virtual or path
• Add new config AWS_S3_CUSTOM_DOMAIN which specifies a domain that replaces the default one in presigned download URLs
  • Required for certain S3 implementations
• Flask and Werkzeug have been upgraded to v2.0.3. Other dependencies have been updated for compatability.
• SQLAlchemy has been updated to v1.4.
• PyMySQL has been upgraded to v1.0.2.
• The flask cli tool is now offered as an alternative to the manage.py script.
• gzip compression is now enabled in the provided nginx configuration

API

• API tokens now have a description field
• API tokens now start with a ctfd_ prefix to make them easier to identify
• GET /api/v1/hints/[hint_id] will now return hint information for free hints for unauthenticated users if challenges are visible

Themes

• core-beta is now provided in all CTFd instances
• core-beta is the default theme during setup

3.5.3

3.5.3 / 2023-06-08

Deployment

• Fixed permissions error in Dockerfile
• Bump dependencies for pybluemonday

3.5.2

3.5.2 / 2023-05-01

General

• Generate cachable S3 URLs by rounding time down to the previous hour to generate a consistent URL
• Change email whitelist error message to not include the list of allowed domains
• Clean up the language for confirming the password on team password change
• Fix issue where dynamic challenges break if the decay is 0 and prevent users from adding a decay limit of 0 to dynamic value challenges

Admin Panel

• Adds support for admins to control robots.txt
• Clean up the aesthetics for the 'Pause CTF' and 'View After CTF' configs
• Replaced TLS and SSL checkbox text to match the defaults used by Mozilla Thunderbird to eliminate confusion when configuring SMTP

Deployment

• Slim down Docker image by removing several dependencies not needed for production usage
  • The image size has been reduced from 648MB to 398MB
• In the Docker image run CTFd in a virtual environment located at /opt/venv
• Add freezegun to application dependencies
• Bump dependencies for pybluemonday, redis, SQLAlchemy-Utils, python-geoacumen-city
• Fix race conditions on cache healthcheck
• Fix situations where numeric config items in config.ini could cause CTFd to not start

3.5.1

3.5.1 / 2023-01-23

General

• The public scoreboard page is no longer shown to users if account visibility is disabled
• Teams created by admins using the normal team creation flow are now hidden by default
• Redirect users to the team creation page if they access a certain pages before the CTF starts
• Added a notice on the Challenges page to remind Admins if they are in Admins Only mode
• Fixed an issue where users couldn't login to their team even though they were already on the team
• Fixed an issue with scoreboard tie breaking when an award results in a tie
• Fixed the order of solves, fails, and awards to always be in chronological ordering (latest first).
• Fixed an issue where certain custom fields could not be submitted

Admin Panel

• Improved the rendering of Admin Panel tables on mobile devices
• Clarified the behavior of Score Visibility with respect to Account Visibility in the Admin Panel help text
• Added user id and user email fields to the user mode scoreboard CSV export
• Add CSV export for teams+members+fields which is teams with Custom Field entries and their team members with Custom Field entries
• The import process will now catch all exceptions in the import process to report them in the Admin Panel
• Fixed issue where field_entries could not be imported under MariaDB
• Fixed issue where config entries sometimes would be recreated for some reason causing an import to fail
• Fixed issue with Firefox caching checkboxes by adding autocomplete='off' to Admin Panel pages
• Fixed issue where Next selection for a challenge wouldn't always load in Admin Panel

API

• Improve response time of /api/v1/challenges and /api/v1/challenges/[challenge_id]/solves by caching the solve count data for users and challenges
• Add HEAD /api/v1/notifications to get a count of notifications that have happened.
  • This also includes a since_id parameter to allow for a notification cursor.
  • Unread notification count can now be tracked by themes that track which notifications a user has read
• Add since_id to GET /api/v1/notifications to get Notifications that have happened since a specific ID

Deployment

• Imports have been disabled when running with a SQLite database backend
  • See #2131
• Added /healthcheck endpoint to check if CTFd is ready
• There are now ARM Docker images for OSS CTFd
• Bump dependencies for passlib, bcrypt, requests, gunicorn, gevent, python-geoacumen-city, cmarkgfm
• Properly load SAFE_MODE config from environment variable
• The AWS_S3_REGION config has been added to allow specifying an S3 region. The default is us-east-1
• Add individual DATABASE config keys as an alternative to DATABASE_URL
  • DATABASE_PROTOCOL: SQLAlchemy DB protocol (+ driver, optionally)
  • DATABASE_USER: Username to access DB server with
  • DATABASE_PASSWORD: Password to access DB server with
  • DATABASE_HOST: Hostname of the DB server to access
  • DATABASE_PORT: Port of the DB server to access
  • DATABASE_NAME: Name of the database to use
• Add individual REDIS config keys as an alternative to REDIS_URL
  • REDIS_PROTOCOL: Protocol to access Redis server with (either redis or rediss)
  • REDIS_USER: Username to access Redis server with
  • REDIS_PASSWORD: Password to access Redis server with
  • REDIS_HOST: Hostname of the Redis server to access
  • REDIS_PORT: Port of the Redis server to access
  • REDIS_DB: Numeric ID of the database to access

Plugins

• Adds support for config.json to have multiple paths to add to the Plugins dropdown in the Admin Panel
• Plugins and their migrations now have access to the get_all_tables and get_columns_for_table functions
• Email sending functions have now been seperated into classes that can be customized via plugins.
  • Add CTFd.utils.email.providers.EmailProvider
  • Add CTFd.utils.email.providers.mailgun.MailgunEmailProvider
  • Add CTFd.utils.email.providers.smtp.SMTPEmailProvider
  • Deprecate CTFd.utils.email.mailgun.sendmail
  • Deprecate CTFd.utils.email.smtp.sendmail

Themes

• The beta interface Assets.manifest_css has been removed
• event-source-polyfill is now pinned to 1.0.19.
  • See #2159
  • Note that we will not be using this polyfill starting with the core-beta theme.
• Add autofocus to text fields on authentication pages

3.5.0

3.5.0 / 2022-05-09

General

• Add a next challenge recommendation to challenges
• Add support for only viewing hints after unlocking another hint
• Add size checking and recommendation for images uploaded during setup

Admin Panel

• Imports now happen in the background so that admins can watch the status of the import
  • Add progress tracking to backup/export importing
  • Add GET /admin/import to see status of import
  • The public user facing portion of CTFd is now disabled during imports
• Fix issue where custom field entries for Users and Teams would be misaligned in the scoreboard CSV export
• Show admins the email server error message when email sending fails
• Fix issue where the current theme cannot be found in list of themes
• Fix page preview so that it accounts for the provided format
• Add links from User/Team Profile IP addresses to a User IP address search page
• Add city geolocation to Team Profile IP addresses

API

• Add the count meta field to the following endpoints:
  • /api/v1/users/me/solves
  • /api/v1/users/me/fails
  • /api/v1/users/me/awards
  • /api/v1/teams/me/awards
  • /api/v1/users/[user_id]/solves
  • /api/v1/users/[user_id]/fails
  • /api/v1/users/[user_id]/awards
  • /api/v1/teams/[team_id]/solves
  • /api/v1/teams/[team_id]/awards
• Improve speed of /api/v1/teams/me/fails
• Improve speed of /api/v1/teams/[team_id]/fails
• Improve speed of /api/v1/users/me/fails
• Improve speed of /api/v1/users/[user_id]/fails

Deployment

• Use Python 3.9 as the default Python version
• Prevent any possible usage of an already existing session ID by checking for duplicates during during session ID generation
• No longer install python3-dev in Dockerfile
• docker-compose.yml now uses nginx:stable as the image for nginx

Plugins

• CTFd._internal.challenge.render and CTFd._internal.challenge.renderer in the view.js Challenge type file has been deprecated. Instead Challenge plugins should refer to the challenge.html attribute provided by the API. Essentially CTFd is moving to having markdown & HTML rendered by the server instead of rendering on the client.

Themes

• Create the core-beta theme and begin documenting the creation of themes using Vite
• Add userName and userEmail to the CTFd init object in base.html for easier integration with other JavaScript code
• Add teamId and teamName to the CTFd init object in base.html for easier integration with other JavaScript code
• Adds the Assets constant to access front end assets from Jinja templates
• Adds a views.themes_beta route to avoid the .dev/.min extension being added automatically to frontend asset urls

Miscellaneous

• Fix double logging in log() function
• Add --delete_import_on_finish to python manage.py import_ctf
• Fix issue where field_entries table could not be imported when moving between MySQL and MariaDB

3.4.3

3.4.3 / 2022-03-07

Security

• Bump cmarkgfm to 0.8.0 to resolve CVE-2022-24724. Copied entry from 3.4.2 since 3.4.2 introduced a bug that prevented writing raw HTML.

General

• Fix issue where raw HTML would not be rendered in markdown

3.4.2

3.4.2 / 2022-03-07

Security

• Bump cmarkgfm to 0.8.0 to resolve CVE-2022-24724

General

• Fix issue where unauthed users couldn't download challenge files after CTF end but viewing after CTF was enabled

3.4.1

3.4.1 / 2022-02-19

General

• Make session cookies persist in the browser after close
• Fix issue where all-numeric registration codes wouldn't work
• Fix issue where a user's session isn't cleared properly after they are deleted by an admin
• Fix issue where CTF end time couldn't be set during setup

API

• Improved speed of the /api/v1/challenges/[challenge_id]/solves endpoint
• Document API authentication and Content-Type header requirement
• Add nested UserSchema and TeamSchema to SubmissionSchema for easier access to account name

Admin Panel

• Improve CSV import error reporting and validation
• Fix non-clickable checkbox label in user creation form in Admin Panel
• Allow submissions per minute ratelimit to be configurable in Admin Panel
• Add a link in the Pages Editor to the Page Variables documentation page

Themes

• Fix issue where invalid theme_settings can cause broken frontend
• Replace node-sass with sass and upgrade sass-loader

Deployment

• Serve all assets from CTFd regardless of internet availability (i.e. fonts and font-awesome)
• Fix regression in REVERSE_PROXY to allow comma seperated integers
• Bump flask-restx to 0.5.1
• Bump pybluemonday to 0.0.9
• Added support for S3 signature version 4 authentication to support alternative S3 buckets (Google Cloud Storage, DigitalOcean Spaces, etc)

Miscellaneous

• Add a Github Actions job to publish Docker images to Dockerhub and ghcr