diff --git a/.gitignore b/.gitignore
index 15f6bd47..a0079186 100644
--- a/.gitignore
+++ b/.gitignore
@@ -55,4 +55,5 @@ target/
*.db
*.log
-.idea/
\ No newline at end of file
+.idea/
+static/uploads
\ No newline at end of file
diff --git a/CTFd/admin.py b/CTFd/admin.py
index fddad970..180d2d2f 100644
--- a/CTFd/admin.py
+++ b/CTFd/admin.py
@@ -268,10 +268,14 @@ def init_admin(app):
md5hash = hashlib.md5(os.urandom(64)).hexdigest()
# BUG NEEDS TO GO TO S3
- if not os.path.exists(os.path.join(app.config['UPLOAD_FOLDER'], md5hash)):
- os.makedirs(os.path.join(app.config['UPLOAD_FOLDER'], md5hash))
+ base = os.path.dirname(os.path.dirname(__file__))
+ ## mod_wsgi does some sad things with cwd so the upload directory needs to be shifted a bit
+ if not os.path.exists(os.path.join(base, app.config['UPLOAD_FOLDER'], md5hash)):
+ os.makedirs(os.path.join(base, app.config['UPLOAD_FOLDER'], md5hash))
- f.save(os.path.join(app.config['UPLOAD_FOLDER'], md5hash, filename))
+ f.save(os.path.join(base, app.config['UPLOAD_FOLDER'], md5hash, filename))
+
+ ## This needs to be relative to CTFd so doesn't nee base.
db_f = Files(chalid, os.path.join(app.config['UPLOAD_FOLDER'], md5hash, filename))
db.session.add(db_f)
diff --git a/CTFd/auth.py b/CTFd/auth.py
index afa8c6b3..115bd997 100644
--- a/CTFd/auth.py
+++ b/CTFd/auth.py
@@ -60,11 +60,15 @@ Did you initiate a password reset?
return redirect('/login')
if request.method == 'POST':
errors = []
- name_len = len(request.form['name']) == 0
- names = Teams.query.add_columns('name', 'id').filter_by(name=request.form['name']).first()
- emails = Teams.query.add_columns('email', 'id').filter_by(email=request.form['email']).first()
- pass_short = len(request.form['password']) == 0
- pass_long = len(request.form['password']) > 128
+ name = request.form['name']
+ email = request.form['email']
+ password = request.form['password']
+
+ name_len = len(name) == 0
+ names = Teams.query.add_columns('name', 'id').filter_by(name=name).first()
+ emails = Teams.query.add_columns('email', 'id').filter_by(email=email).first()
+ pass_short = len(password) == 0
+ pass_long = len(password) > 128
valid_email = re.match("[^@]+@[^@]+\.[^@]+", request.form['email'])
if not valid_email:
@@ -84,7 +88,7 @@ Did you initiate a password reset?
return render_template('register.html', errors=errors, name=request.form['name'], email=request.form['email'], password=request.form['password'])
else:
with app.app_context():
- team = Teams(request.form['name'], request.form['email'], request.form['password'])
+ team = Teams(name, email, password)
db.session.add(team)
db.session.commit()
if mailserver():
@@ -102,8 +106,9 @@ Did you initiate a password reset?
def login():
if request.method == 'POST':
errors = []
+ name = request.form['name']
# team = Teams.query.filter_by(name=request.form['name'], password=sha512(request.form['password'])).first()
- team = Teams.query.filter_by(name=request.form['name']).first()
+ team = Teams.query.filter_by(name=name).first()
if team and bcrypt_sha256.verify(request.form['password'], team.password):
try:
session.regenerate() # NO SESSION FIXATION FOR YOU
diff --git a/CTFd/config.py b/CTFd/config.py
index 4f154eeb..03b62a18 100644
--- a/CTFd/config.py
+++ b/CTFd/config.py
@@ -5,6 +5,7 @@ SQLALCHEMY_DATABASE_URI = 'sqlite:///ctfd.db'
SESSION_TYPE = "filesystem"
SESSION_FILE_DIR = "/tmp/flask_session"
SESSION_COOKIE_HTTPONLY = True
+PERMANENT_SESSION_LIFETIME = 604800 # 7 days in seconds
HOST = ".ctfd.io"
UPLOAD_FOLDER = os.path.normpath('static/uploads')
diff --git a/CTFd/utils.py b/CTFd/utils.py
index 10597ca4..727e2795 100644
--- a/CTFd/utils.py
+++ b/CTFd/utils.py
@@ -75,8 +75,8 @@ def admins_only(f):
def ctftime():
""" Checks whether it's CTF time or not. """
- start = Config.query.filter_by(key="start").first().value
- end = Config.query.filter_by(key="end").first().value
+ start = get_config("start")
+ end = get_config("end")
if start:
start = int(start)
@@ -84,7 +84,7 @@ def ctftime():
end = int(end)
if start and end:
- if start < time.time() and time.time() < end:
+ if start < time.time() < end:
# Within the two time bounds
return True
diff --git a/CTFd/views.py b/CTFd/views.py
index d099e78f..50102498 100644
--- a/CTFd/views.py
+++ b/CTFd/views.py
@@ -135,13 +135,16 @@ def init_views(app):
affiliation = request.form.get('affiliation')
country = request.form.get('country')
+ user = Teams.query.filter_by(id=session['id']).first()
+
names = Teams.query.filter_by(name=name).first()
emails = Teams.query.filter_by(email=email).first()
valid_email = re.match("[^@]+@[^@]+\.[^@]+", email)
name_len = len(request.form['name']) == 0
- if not bcrypt_sha256.verify(request.form.get('confirm').strip(), names.password):
+ if ('password' in request.form.keys() and not len(request.form['password']) == 0) and \
+ (not bcrypt_sha256.verify(request.form.get('confirm').strip(), user.password)):
errors.append("Your old password doesn't match what we have.")
if not valid_email:
errors.append("That email doesn't look right")
@@ -151,7 +154,7 @@ def init_views(app):
errors.append('That email has already been used')
if name_len:
errors.append('Pick a longer team name')
- if not validate_url(website):
+ if website.strip() and not validate_url(website):
errors.append("That doesn't look like a valid URL")
if len(errors) > 0:
@@ -160,6 +163,8 @@ def init_views(app):
team = Teams.query.filter_by(id=session['id']).first()
team.name = name
team.email = email
+ session['username'] = name
+
if 'password' in request.form.keys() and not len(request.form['password']) == 0:
team.password = bcrypt_sha256.encrypt(request.form.get('password'))
team.website = website
diff --git a/static/js/chalboard.js b/static/js/chalboard.js
index c5871d60..19fa28ae 100644
--- a/static/js/chalboard.js
+++ b/static/js/chalboard.js
@@ -9,6 +9,10 @@ String.prototype.format = String.prototype.f = function() {
return s;
};
+function htmlentities(string) {
+ return $('').text(string).html();
+}
+
var challenges;
function loadchal(id) {
@@ -149,7 +153,7 @@ function getsolves(id){
var id = teams[i].id;
var name = teams[i].name;
var date = moment(teams[i].date).local().format('LLL');
- box.append('| {1} | {2} |
'.format(id, name, date));
+ box.append('| {1} | {2} |
'.format(id, htmlentities(name), date));
};
});
}
diff --git a/static/js/scoreboard.js b/static/js/scoreboard.js
index 606b39d0..d7dfc7a5 100644
--- a/static/js/scoreboard.js
+++ b/static/js/scoreboard.js
@@ -9,12 +9,16 @@ String.prototype.format = String.prototype.f = function() {
return s;
};
+function htmlentities(string) {
+ return $('').text(string).html();
+}
+
function updatescores () {
$.get('/scores', function( data ) {
teams = $.parseJSON(JSON.stringify(data));
$('#scoreboard > tbody').empty()
for (var i = 0; i < teams['teams'].length; i++) {
- row = "| {0} | {2} | {3} |
".format(i+1, teams['teams'][i].id, teams['teams'][i].name, teams['teams'][i].score)
+ row = "| {0} | {2} | {3} |
".format(i+1, teams['teams'][i].id, htmlentities(teams['teams'][i].name), teams['teams'][i].score)
$('#scoreboard > tbody').append(row)
};
});
diff --git a/templates/admin/teams.html b/templates/admin/teams.html
index 81afcafc..b2fa9912 100644
--- a/templates/admin/teams.html
+++ b/templates/admin/teams.html
@@ -120,7 +120,6 @@
{% block scripts %}