Adding file handler

.gitignore

@@ -59,4 +59,5 @@ target/
 *.log
 .idea/
 CTFd/static/uploads
+CTFd/uploads
 .ctfd_secret_key

CTFd/admin.py

@@ -411,8 +411,8 @@ def admin_files(chalid):
     if request.method == 'POST':
         if request.form['method'] == "delete":
             f = Files.query.filter_by(id=request.form['file']).first_or_404()
-            if os.path.exists(os.path.join(app.static_folder, 'uploads', f.location)): ## Some kind of os.path.isfile issue on Windows...
-                os.unlink(os.path.join(app.static_folder, 'uploads', f.location))
+            if os.path.exists(os.path.join(app.root_path, 'uploads', f.location)): ## Some kind of os.path.isfile issue on Windows...
+                os.unlink(os.path.join(app.root_path, 'uploads', f.location))
             db.session.delete(f)
             db.session.commit()
             db.session.close()
@@ -428,11 +428,11 @@ def admin_files(chalid):
 
                 md5hash = hashlib.md5(os.urandom(64)).hexdigest()
 
-                if not os.path.exists(os.path.join(os.path.normpath(app.static_folder), 'uploads', md5hash)):
-                    os.makedirs(os.path.join(os.path.normpath(app.static_folder), 'uploads', md5hash))
+                if not os.path.exists(os.path.join(os.path.normpath(app.root_path), 'uploads', md5hash)):
+                    os.makedirs(os.path.join(os.path.normpath(app.root_path), 'uploads', md5hash))
 
-                f.save(os.path.join(os.path.normpath(app.static_folder), 'uploads', md5hash, filename))
-                db_f = Files(chalid, os.path.join('static', 'uploads', md5hash, filename))
+                f.save(os.path.join(os.path.normpath(app.root_path), 'uploads', md5hash, filename))
+                db_f = Files(chalid, (md5hash + '/' + filename))
                 db.session.add(db_f)
 
             db.session.commit()
@@ -838,11 +838,11 @@ def admin_create_chal():
 
         md5hash = hashlib.md5(os.urandom(64)).hexdigest()
 
-        if not os.path.exists(os.path.join(os.path.normpath(app.static_folder), 'uploads', md5hash)):
-            os.makedirs(os.path.join(os.path.normpath(app.static_folder), 'uploads', md5hash))
+        if not os.path.exists(os.path.join(os.path.normpath(app.root_path), 'uploads', md5hash)):
+            os.makedirs(os.path.join(os.path.normpath(app.root_path), 'uploads', md5hash))
 
-        f.save(os.path.join(os.path.normpath(app.static_folder), 'uploads', md5hash, filename))
-        db_f = Files(chal.id, os.path.join('static', 'uploads', md5hash, filename))
+        f.save(os.path.join(os.path.normpath(app.root_path), 'uploads', md5hash, filename))
+        db_f = Files(chal.id, (md5hash + '/' + filename))
         db.session.add(db_f)
 
     db.session.commit()
@@ -861,7 +861,7 @@ def admin_delete_chal():
         files = Files.query.filter_by(chal=challenge.id).all()
         Files.query.filter_by(chal=challenge.id).delete()
         for file in files:
-            folder = os.path.dirname(file.location)
+            folder = os.path.dirname(os.path.join(os.path.normpath(app.root_path), 'uploads', file.location))
             rmdir(folder)
         Tags.query.filter_by(chal=challenge.id).delete()
         Challenges.query.filter_by(id=challenge.id).delete()

CTFd/challenges.py

@@ -24,6 +24,9 @@ def challenges_view():
             if view_after_ctf(): # But we are allowed to view after the CTF ends
                 pass
             else:  # We are NOT allowed to view after the CTF ends
+                if get_config('start') and not ctf_started():
+                    errors.append('{} has not started yet'.format(ctf_name()))
+                if (get_config('end') and ctf_ended()) and not view_after_ctf():
                     errors.append('{} has ended'.format(ctf_name()))
                 return render_template('chals.html', errors=errors, start=int(start), end=int(end))
         if get_config('verify_emails') and not is_verified(): # User is not confirmed

CTFd/static/original/admin/js/chalboard.js

@@ -135,7 +135,7 @@ function loadfiles(chal){
         for(x=0; x<files.length; x++){
             filename = files[x].file.split('/')
             filename = filename[filename.length - 1]
-            $('#current-files').append('<div class="row" style="margin:5px 0px;">'+'<a style="position:relative;top:10px;" href=/'+files[x].file+'>'+filename+'</a><a href="#" class="btn btn-danger" onclick="deletefile('+chal+','+files[x].id+', $(this))" value="'+files[x].id+'" style="float:right;">Delete</a></div>')
+            $('#current-files').append('<div class="row" style="margin:5px 0px;">'+'<a style="position:relative;top:10px;" href='+script_root+'/files/'+files[x].file+'>'+filename+'</a><a href="#" class="btn btn-danger" onclick="deletefile('+chal+','+files[x].id+', $(this))" value="'+files[x].id+'" style="float:right;">Delete</a></div>')
         }
     });
 }

CTFd/static/original/js/chalboard.js

@@ -25,7 +25,7 @@ function updateChalWindow(obj) {
     for (var i = 0; i < obj.files.length; i++) {
         filename = obj.files[i].split('/');
         filename = filename[filename.length - 1];
-        $('#chal-window').find('.chal-files').append("<div class='col-md-3 file-button-wrapper'><a class='file-button' href='"+obj.files[i]+"'><label class='challenge-wrapper file-wrapper hide-text'>"+filename+"</label></a></div>")
+        $('#chal-window').find('.chal-files').append("<div class='col-md-3 file-button-wrapper'><a class='file-button' href='" + script_root + '/files/' + obj.files[i] + "'><label class='challenge-wrapper file-wrapper hide-text'>" + filename + "</label></a></div>")
     }
 
     var tags = chal.find('.chal-tags');

CTFd/views.py

@@ -1,5 +1,6 @@
-from flask import current_app as app, render_template, render_template_string, request, redirect, abort, jsonify, json as json_mod, url_for, session, Blueprint, Response
-from CTFd.utils import authed, ip2long, long2ip, is_setup, validate_url, get_config, set_config, sha512, get_ip, cache
+from flask import current_app as app, render_template, render_template_string, request, redirect, abort, jsonify, json as json_mod, url_for, session, Blueprint, Response, send_file
+from CTFd.utils import authed, ip2long, long2ip, is_setup, validate_url, get_config, set_config, sha512, get_ip, cache, ctftime, view_after_ctf, ctf_started, \
+    is_admin
 from CTFd.models import db, Teams, Solves, Awards, Challenges, WrongKeys, Keys, Tags, Files, Tracking, Pages, Config
 
 from jinja2.exceptions import TemplateNotFound
@@ -224,3 +225,17 @@ def profile():
                                    country=country, prevent_name_change=prevent_name_change, confirm_email=confirm_email)
     else:
         return redirect(url_for('auth.login'))
+
+
+@views.route('/files', defaults={'path': ''})
+@views.route('/files/<path:path>')
+def file_handler(path):
+    f = Files.query.filter_by(location=path).first_or_404()
+    if f.chal:
+        if not is_admin():
+            if not ctftime():
+                if view_after_ctf() and ctf_started():
+                    pass
+                else:
+                    abort(403)
+    return send_file(os.path.join(app.root_path, 'uploads', f.location))

populate.py

@@ -235,7 +235,7 @@ if __name__ == '__main__':
             chal = random.randint(1, CHAL_AMOUNT)
             filename = gen_file()
             md5hash = hashlib.md5(filename).hexdigest()
-            db.session.add(Files(chal, os.path.join('static/uploads', md5hash, filename)))
+            db.session.add(Files(chal, md5hash + '/' + filename))
         db.session.commit()
 
         ### Generating Users