aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-17 22:14:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Adding file handler

Browse Source
This commit is contained in:
Kevin Chung
2016-11-05 00:54:21 -04:00
parent 11e3ef66b4
commit 52ad396db4
7 changed files with 36 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -59,4 +59,5 @@ target/
*.log *.log
.idea/ .idea/
CTFd/static/uploads CTFd/static/uploads
CTFd/uploads
.ctfd_secret_key .ctfd_secret_key

22
CTFd/admin.py
View File

@@ -411,8 +411,8 @@ def admin_files(chalid):
if request.method == 'POST': if request.method == 'POST':
if request.form['method'] == "delete": if request.form['method'] == "delete":
f = Files.query.filter_by(id=request.form['file']).first_or_404() f = Files.query.filter_by(id=request.form['file']).first_or_404()
if os.path.exists(os.path.join(app.static_folder, 'uploads', f.location)): ## Some kind of os.path.isfile issue on Windows... if os.path.exists(os.path.join(app.root_path, 'uploads', f.location)): ## Some kind of os.path.isfile issue on Windows...
os.unlink(os.path.join(app.static_folder, 'uploads', f.location)) os.unlink(os.path.join(app.root_path, 'uploads', f.location))
db.session.delete(f) db.session.delete(f)
db.session.commit() db.session.commit()
db.session.close() db.session.close()
@@ -428,11 +428,11 @@ def admin_files(chalid):
md5hash = hashlib.md5(os.urandom(64)).hexdigest() md5hash = hashlib.md5(os.urandom(64)).hexdigest()
if not os.path.exists(os.path.join(os.path.normpath(app.static_folder), 'uploads', md5hash)): if not os.path.exists(os.path.join(os.path.normpath(app.root_path), 'uploads', md5hash)):
os.makedirs(os.path.join(os.path.normpath(app.static_folder), 'uploads', md5hash)) os.makedirs(os.path.join(os.path.normpath(app.root_path), 'uploads', md5hash))
f.save(os.path.join(os.path.normpath(app.static_folder), 'uploads', md5hash, filename)) f.save(os.path.join(os.path.normpath(app.root_path), 'uploads', md5hash, filename))
db_f = Files(chalid, os.path.join('static', 'uploads', md5hash, filename)) db_f = Files(chalid, (md5hash + '/' + filename))
db.session.add(db_f) db.session.add(db_f)
db.session.commit() db.session.commit()
@@ -838,11 +838,11 @@ def admin_create_chal():
md5hash = hashlib.md5(os.urandom(64)).hexdigest() md5hash = hashlib.md5(os.urandom(64)).hexdigest()
if not os.path.exists(os.path.join(os.path.normpath(app.static_folder), 'uploads', md5hash)): if not os.path.exists(os.path.join(os.path.normpath(app.root_path), 'uploads', md5hash)):
os.makedirs(os.path.join(os.path.normpath(app.static_folder), 'uploads', md5hash)) os.makedirs(os.path.join(os.path.normpath(app.root_path), 'uploads', md5hash))
f.save(os.path.join(os.path.normpath(app.static_folder), 'uploads', md5hash, filename)) f.save(os.path.join(os.path.normpath(app.root_path), 'uploads', md5hash, filename))
db_f = Files(chal.id, os.path.join('static', 'uploads', md5hash, filename)) db_f = Files(chal.id, (md5hash + '/' + filename))
db.session.add(db_f) db.session.add(db_f)
db.session.commit() db.session.commit()
@@ -861,7 +861,7 @@ def admin_delete_chal():
files = Files.query.filter_by(chal=challenge.id).all() files = Files.query.filter_by(chal=challenge.id).all()
Files.query.filter_by(chal=challenge.id).delete() Files.query.filter_by(chal=challenge.id).delete()
for file in files: for file in files:
folder = os.path.dirname(file.location) folder = os.path.dirname(os.path.join(os.path.normpath(app.root_path), 'uploads', file.location))
rmdir(folder) rmdir(folder)
Tags.query.filter_by(chal=challenge.id).delete() Tags.query.filter_by(chal=challenge.id).delete()
Challenges.query.filter_by(id=challenge.id).delete() Challenges.query.filter_by(id=challenge.id).delete()

5
CTFd/challenges.py
View File

@@ -24,7 +24,10 @@ def challenges_view():
if view_after_ctf(): # But we are allowed to view after the CTF ends if view_after_ctf(): # But we are allowed to view after the CTF ends
pass pass
else: # We are NOT allowed to view after the CTF ends else: # We are NOT allowed to view after the CTF ends
errors.append('{} has ended'.format(ctf_name())) if get_config('start') and not ctf_started():
errors.append('{} has not started yet'.format(ctf_name()))
if (get_config('end') and ctf_ended()) and not view_after_ctf():
errors.append('{} has ended'.format(ctf_name()))
return render_template('chals.html', errors=errors, start=int(start), end=int(end)) return render_template('chals.html', errors=errors, start=int(start), end=int(end))
if get_config('verify_emails') and not is_verified(): # User is not confirmed if get_config('verify_emails') and not is_verified(): # User is not confirmed
return redirect(url_for('auth.confirm_user')) return redirect(url_for('auth.confirm_user'))

2
CTFd/static/original/admin/js/chalboard.js
View File

@@ -135,7 +135,7 @@ function loadfiles(chal){
for(x=0; x<files.length; x++){ for(x=0; x<files.length; x++){
filename = files[x].file.split('/') filename = files[x].file.split('/')
filename = filename[filename.length - 1] filename = filename[filename.length - 1]
$('#current-files').append('<div class="row" style="margin:5px 0px;">'+'<a style="position:relative;top:10px;" href=/'+files[x].file+'>'+filename+'</a><a href="#" class="btn btn-danger" onclick="deletefile('+chal+','+files[x].id+', $(this))" value="'+files[x].id+'" style="float:right;">Delete</a></div>') $('#current-files').append('<div class="row" style="margin:5px 0px;">'+'<a style="position:relative;top:10px;" href='+script_root+'/files/'+files[x].file+'>'+filename+'</a><a href="#" class="btn btn-danger" onclick="deletefile('+chal+','+files[x].id+', $(this))" value="'+files[x].id+'" style="float:right;">Delete</a></div>')
} }
}); });
} }

2
CTFd/static/original/js/chalboard.js
View File

@@ -25,7 +25,7 @@ function updateChalWindow(obj) {
for (var i = 0; i < obj.files.length; i++) { for (var i = 0; i < obj.files.length; i++) {
filename = obj.files[i].split('/'); filename = obj.files[i].split('/');
filename = filename[filename.length - 1]; filename = filename[filename.length - 1];
$('#chal-window').find('.chal-files').append("<div class='col-md-3 file-button-wrapper'><a class='file-button' href='"+obj.files[i]+"'><label class='challenge-wrapper file-wrapper hide-text'>"+filename+"</label></a></div>") $('#chal-window').find('.chal-files').append("<div class='col-md-3 file-button-wrapper'><a class='file-button' href='" + script_root + '/files/' + obj.files[i] + "'><label class='challenge-wrapper file-wrapper hide-text'>" + filename + "</label></a></div>")
} }
var tags = chal.find('.chal-tags'); var tags = chal.find('.chal-tags');

19
CTFd/views.py
View File

@@ -1,5 +1,6 @@
from flask import current_app as app, render_template, render_template_string, request, redirect, abort, jsonify, json as json_mod, url_for, session, Blueprint, Response from flask import current_app as app, render_template, render_template_string, request, redirect, abort, jsonify, json as json_mod, url_for, session, Blueprint, Response, send_file
from CTFd.utils import authed, ip2long, long2ip, is_setup, validate_url, get_config, set_config, sha512, get_ip, cache from CTFd.utils import authed, ip2long, long2ip, is_setup, validate_url, get_config, set_config, sha512, get_ip, cache, ctftime, view_after_ctf, ctf_started, \
is_admin
from CTFd.models import db, Teams, Solves, Awards, Challenges, WrongKeys, Keys, Tags, Files, Tracking, Pages, Config from CTFd.models import db, Teams, Solves, Awards, Challenges, WrongKeys, Keys, Tags, Files, Tracking, Pages, Config
from jinja2.exceptions import TemplateNotFound from jinja2.exceptions import TemplateNotFound
@@ -224,3 +225,17 @@ def profile():
country=country, prevent_name_change=prevent_name_change, confirm_email=confirm_email) country=country, prevent_name_change=prevent_name_change, confirm_email=confirm_email)
else: else:
return redirect(url_for('auth.login')) return redirect(url_for('auth.login'))
@views.route('/files', defaults={'path': ''})
@views.route('/files/<path:path>')
def file_handler(path):
f = Files.query.filter_by(location=path).first_or_404()
if f.chal:
if not is_admin():
if not ctftime():
if view_after_ctf() and ctf_started():
pass
else:
abort(403)
return send_file(os.path.join(app.root_path, 'uploads', f.location))

2
populate.py
View File

@@ -235,7 +235,7 @@ if __name__ == '__main__':
chal = random.randint(1, CHAL_AMOUNT) chal = random.randint(1, CHAL_AMOUNT)
filename = gen_file() filename = gen_file()
md5hash = hashlib.md5(filename).hexdigest() md5hash = hashlib.md5(filename).hexdigest()
db.session.add(Files(chal, os.path.join('static/uploads', md5hash, filename))) db.session.add(Files(chal, md5hash + '/' + filename))
db.session.commit() db.session.commit()
### Generating Users ### Generating Users