aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-17 05:54:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix download with auth token fail after ctf (458ce2e) (#2011)

Browse Source 
* Fix issue where unauthed users couldn't download challenge files after CTF end but viewing after CTF was enabled
This commit is contained in:
Allen Guan
2022-03-07 10:25:46 +08:00
committed by GitHub
parent de6f8e059b
commit a868faffb5
2 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
CTFd/views.py
View File

@@ -409,8 +409,17 @@ def files(path):
else: else:
abort(403) abort(403)
else: else:
# User cannot view challenges based on challenge visibility
# e.g. ctf requires registration but user isn't authed or
# ctf requires admin account but user isn't admin
if not ctftime(): if not ctftime():
abort(403) # It's not CTF time. The only edge case is if the CTF is ended
# but we have view_after_ctf enabled
if ctf_ended() and view_after_ctf():
pass
else:
# In all other situations we should block challenge files
abort(403)
# Allow downloads if a valid token is provided # Allow downloads if a valid token is provided
token = request.args.get("token", "") token = request.args.get("token", "")

19
tests/test_views.py
View File

@@ -383,6 +383,19 @@ def test_user_can_access_files_with_auth_token():
r = admin.get(file_url) r = admin.get(file_url)
assert r.status_code == 200 assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load" assert r.get_data(as_text=True) == "testing file load"
with freeze_time("2017-10-7"):
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config("end", "1507262400")
set_config("view_after_ctf", True)
for v in ("public", "private"):
set_config("challenge_visibility", v)
# Unauthed users should be able to download if view_after_ctf
client = app.test_client()
r = client.get(file_url)
assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load"
finally: finally:
rmdir(directory) rmdir(directory)
destroy_ctfd(app) destroy_ctfd(app)
@@ -428,6 +441,12 @@ def test_user_can_access_files_if_view_after_ctf():
r = client.get(file_url) r = client.get(file_url)
assert r.status_code == 200 assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load" assert r.get_data(as_text=True) == "testing file load"
# Unauthed users should be able to download if view_after_ctf
client = app.test_client()
r = client.get(file_url)
assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load"
finally: finally:
rmdir(directory) rmdir(directory)