2.0.0 is a significant change. If you are upgrading from a prior version be sure to make backups before upgrading.
In addition, 2.0.0 is a backwards-incompatible release. Many plugins will be broken in CTFd 2.0.0, and if you're having trouble updating your plugins please join the CTFd Slack for help and discussion.
General
- Seperation of Teams into Users and Teams.
- Integration with MajorLeagueCyber. (https://majorleaguecyber.org)
- Data is now provided to the front-end via the REST API. (#551)
- Javascript uses
fetch()
to consume the REST API.
- Javascript uses
- Dynamic Challenges built in.
- S3 Uploader built in. (#661)
- Real time notifications. (#600)
- Email address domain whitelisting. (#603)
- Database exporting to CSV. (#656)
- Imports/Exports rewritten to act as backups.
- Importing no longer stacks values.
- Exports are no longer partial.
- Reset CTF from config panel (Remove all users, solves, fails. i.e. only keep Challenge data.) (#639)
- Countries are pre-determined and selectable instead of being user-entered.
- Countries stored based on country code.
- Based on https://github.com/umpirsky/country-list/blob/master/data/en_US/country.csv.
- Sessions are no longer stored using secure cookies. (#658)
- Sessions are now stored server side in a cache (
filesystem
orredis
) allowing for session revocation.
- Sessions are now stored server side in a cache (
- Challenges can now have requirements which must be met before the challenge can be seen/solved.
- Workshop mode, score hiding, registration hiding, challenge hiding have been changed to visibility settings.
- Users and Teams can now be banned preventing access to the CTF.
- Dockerfile improvements.
- WORKERS count in
docker-entrypoint.sh
defaults to 1. (#716) docker-entrypoint.sh
exits on any error. (#717)
- WORKERS count in
- Increased test coverage.
- Migrations have been reset.
- If upgrading from 1.2.0:
- Make all necessary backups. Backup the database, uploads folder, and source code directory.
- Upgrade the source code directory.
- Set the
DATABASE_URL
inCTFd/config.py
. - Run the upgrade script from the CTFd folder i.e.
python migrations/1_2_0_upgrade_2_0_0.py
. - Setup the rest of CTFd and run normally.
- If upgrading from 1.2.0:
Themes
- Data is now provided to the front-end via the REST API.
- Javascript uses
fetch()
to consume the REST API.
- Javascript uses
- The admin theme is no longer considered seperated from the core theme and should always be together.
- Themes now use
url_for()
to generate URLs instead of hardcoding. - socket.io is used to connect to CTFd to receive notifications.
ctf_name()
renamed toget_ctf_name()
in themes.ctf_logo()
renamed toget_ctf_logo()
in themes.ctf_theme()
renamed toget_ctf_theme()
in themes.- Update Font-Awesome to 5.4.1.
- Update moment.js to 2.22.2. (#704)
Plugins
- Plugins are loaded in
sorted()
order - Rename challenge type plugins to use .html and have simplified names. (create, update, view)
- Many functions moved around because utils.py has been broken up and refactored. (#475)
- Marshmallow (https://marshmallow.readthedocs.io) is now used by the REST API to validate and serialize/deserialize data.
- Marshmallow schemas and views are used to restrict SQLAlchemy columns to user types.
- The REST API features swagger support but this requires more utilization internally.
- Errors can now be provided between routes and decoraters through message flashing. (CTFd.utils.helpers; get_errors, get_infos, info_for, error_for)
- Email registration regex relaxed. (#693)
- Many functions have moved and now have dedicated utils packages for their category.
General
- Updated to Flask 1.0 & switched documentation to suggest using
flask run
instead ofpython serve.py
. - Added the ability to make static & regex flags case insensitive.
- The
/chals
endpoint no longer lists the details of challenges.- The
/chals/:id
endpoint is now used to load challenge information before display.
- The
- Admins can now see what users have solved a given challenge from the admin panel.
- Fixed issue with imports extracting files outside of the CTFd directory.
- Added import zipfile validation and optional size restriction.
- The ctftime, authentication, and admin restrictions have been converted to decorators to improve code reuse.
- 403 is now a more common status code. Previously it only indicated CSRF failure, now it can indicate login failure or other Forbidden access situations.
- Challenge previews now work consistently instead of occasionally failing to show.
- Tests are now randomly ordered with
nose-randomly
.
Themes
- Admins now have the ability to upload a CTF logo from the config panel.
- Switched from the
marked
library toMarkdown-It
for client side markdown rendering.- This will break Challenge type plugins that override the markdown renderer since we are no longer using the marked renderers.
- Introduced the
ezpg()
JS function to make it easier to draw a progressbar modal. - Introduced the
$.patch()
AJAX wrapper. - Team names are truncated properly to 50 characters in
teams.html
. - The admin panel now uses Bootstrap badges instead of buttons to indicate properties such as
admin
,verified
,visible
.
Plugins
- Challenge type plugins now use a global challenge object with exposed functions to specify how to display a challenge.
(
preRender()
,render()
,postRender()
,submit()
).- Challenge type plugins also have access to window.challenge.data which allow for the previously mentioned functions to process challenge data and change logic accordingly.
- Challenge type plugins now get full control over how a challenge is displayed via the nunjucks files.
- Challenge plugins should now pass the entire flag/key object to a Custom flag type.
- This allows the flag type to make use of the data column to decide how to operate on the flag. This is used to implement case insensitive flags.
- Challenge modals (
modal.njk
) now use{{ description }}
instead of{{ desc }}
properly aligning with the database schema. - The update and create modals now inject data into the modal via nunjucks instead of client side Javascript.
- The
utils.base64decode()
&utils.base64encode()
functions no longer expose url encoding/decoding parameters.
General
- [SECURITY] Fixed XSS in team website. (#604)
- Fixed deleting challenges that have a hint associated. (#601)
Themes
- Removed "SVG with JavaScript" in favor of "Web Fonts with CSS". (#604)
General
- [SECURITY] Fixed XSS in team name field on team deletion. (#592)
- Fixed an issue where MariaDB defaults in Docker Compose caused difficult to debug 500 errors. (#566)
- Improved Docker usage:
- Redis cache
- Configurable amount of workers
- Easier to access logs
- Plugin requirements are installed on image build.
- Switched from the default gunicorn synchronous worker to gevent
- Fixed an issue where ties would be broken incorrectly if there are challenges that are worth 0 points. (#577)
- Fixed update checks not happening on CTFd start. (#595)
- Removed the static_html handler to access raw HTML files. (#561)
- Pages is now the only supported means of accessing/creating a page.
- Removed uwsgi specific configuration files.
- Fixed issue with Docker image having a hard coded database host name. (#587)
Themes
- Fixed scrollbar showing on pages that are smaller than the screen size (#589)
- Fixed displaying the team rank while in workshop mode. (#590)
- Fixed flag modal not clearing when creating multiple new flags. (#594)
Plugins
- Add a utility decorator to allow routes to forego CSRF protection. (#596)
General
- Fixed page links on subdirectory deployments
- Fixed challenge updating on subdirectory deployments
- Fixed broken icon buttons on Safari
Themes
- Upgraded to Bootstrap 4.0.0
- Upgraded to jQuery 3.3.1
- Upgraded to FontAwesome 5.0.4
General
- Fixed regression where users could not be promoted to admins or verified.
- Fixed two icons in the Media Library which were not updated to Font Awesome 5.
- Challenge previews now include tags, hints, and files.
- Fixed an issue where a page could not be published immediately after being saved.
Themes
- Upgraded to Bootstrap 4 Beta v3. No major changes needed by themes.
- Fixed issue where the frozen message was not centered in the team page.
- The JavaScript
update()
function now has a callback instead of being hardcoded. chalboard.js
now passesscript_root
into the Nunjucks templates so that file downloads work properly under subdirectories.
Themes
- The original theme has been replaced by the core theme. The core theme is written in Bootstrap v4.0.0-beta.2 and significantly reduces the amount of custom styles/classes used.
- Challenges can now be previewed from the admin panel.
- The modals to modify files, flags, tags, and hints are no longer controlled by Challenge Type Plugins and are defined in CTFd itself.
- The admin graphs and admin statistics pages have been combined.
- Percentage solved for challenges has been moved to the new statistics page.
- The scoregraph on the scoreboard has been cleaned up to better fit the page width.
- Score graphs now use user-specific colors.
- Hints can now be previewed from the admin panel.
- Various confirmation modals have been replaced with
ezq.js
, a simple Bootstrap modal wrapper. - Fixed a bug where challenge buttons on the challenge board would load before being styled as solved.
- FontAwesome has been upgraded to FontAwesome 5.
- Themes are now rendered using the Jinja2 SandboxedEnvironment.
Database
Keys.key_type
has been renamed toKeys.type
.- Pages Improvements:
- Page previews are now independent of the editor page.
- Pages now have a title which refer to the link's name on the navbar.
- Pages can now be drafts which cannot be seen by regular users.
- Pages can now require authentication to view.
- CSS editing has been moved to the config panel.
Challenge Type Plugins
- Handlebars has been replaced with Nunjucks which means Challenge Type Plugins using Handlebars must be updated to work with 1.1.0
General
- CTFs can now be paused to prevent solves.
- A new authed_only decorator is available to restrict pages to logged-in users.
- CTFd will now check for updates against
versioning.ctfd.io
. Admins will see in the admin panel that CTFd can be updated. - A ratelimit function has been implemented. Authentication and email related functions are now ratelimited.
- Code coverage from codecov.
- Admins can now see the reason why an email to a team failed to send.
- SMTP email connections take priority over mailgun settings now. The opposite used to be true.
- The JavaScript
submitkey()
function now takes an optional callback. utils.get_config()
no longer looks atapp.config
values. Instead useutils.get_app_config()
.- Only prompt about upgrades when running with a TTY.
- Challenge Type Plugins now have a static interface which should be implemented by all challenge types.
- Challenge Type Plugins are now self-contained in the plugin system meaning you no longer need to manipulate themes in order to register Challenge Type Plugins.
- Challenge Type plugins should implement the create, read, update, delete, attempt, solve, and fail static methods.
- Challenge Type plugins now use strings for both their IDs and names.
- Challenge Type plugins now contain references to their related modal template files.
- Plugins can now register directories and files to be served by CTFd
CTFd.plugins.register_plugin_assets_directory
registers a directory to be servedCTFd.plugins.register_plugin_asset
registers a file to be served
- Plugins can now add to the admin and user menu/nav bars
- Plugins can now add to the admin menu bar with
CTFd.plugins. register_admin_plugin_menu_bar
- Plugins can now add to the user menu bar with
CTFd.plugins. register_user_page_menu_bar
- Plugins can now add to the admin menu bar with
- Plugins should now use
config.json
to define plugin attributes in lieu of config.html. Backwards compatibility has been maintained. Withconfig.json
, plugins can now control where the user is linked to instead of being directed to config.html. - The challenge type and key type columns are now strings.
- Some utils functions now have
CTFd.plugins
wrappers. - There is now a
/team
endpoint which takes the user to their own public profile. - Mail server username and passwords are no longer rendered in the Admin Config panel.
- Users can now see their own user graphs when scores are hidden.
prepare.sh
is now marked executable.- Spinners are now properly removed if there is no data to display.
Always backup your database before upgrading!
- Add spinners to the original theme for loading graphs
- Plugins can register global JS files with
utils.register_plugin_script()
- Plugins can register global CSS files with
utils.register_plugin_stylesheet()
- Challenge type plugins can now control the response to a user's input
- Vagrantfile!
- Containers functionality has been moved into a plugin
- Hide solves from the JSON endpoint when hiding scores.
- The
utils.get_config()
function now checks for lower case and upper case values specified inconfig.py
- Pages are now cached so that we don't hit the database every time we need to load a page.
- The /top/10 endpoint has been changed to group users by ID instead of by name.
- Admins are allowed to see and solve challenges before a CTF starts.
- The CTF time configuration UI has been fixed to allow for the removal of times.
- The score graph in the original theme is now sorted by score.
- Bug fixes
- Use strings to store IP addresses.
- Take into account awards when we calculate a user's place.
- Plugin configuration clears the cache.
- More logging inside of auth.py.
- Username and password in the SMTP mail configuration are now optional.
- Markdown in challenges has been fixed to it's pre-regression state and is easier to write.
- Improvements to Python 3 compatability.
- Variety of new tests to further test behavior.
- Fixed an old bug where users would incorrectly see a challenge with 0 solves.
- Increased Unicode support. Smileys everywhere 👌
- MySQL charset defaults to utf8mb4
- Pages feature now supports Markdown and the Pages editor has a preview button
- IPv6 support for users' IP addresses
- Theme switching no longer requires a server restart
- Admins can now search for teams in the admin panel
- The config.html page for plugins are now Jinja templates giving them much more functionality
- Hints are automatically unlocked once the CTF is finished
- Themes now have a dedicated themes folder
- Graphs are now transparent so that themes can style the background
- Tags are now inserted into the classes of challenge buttons on the default theme
- There is now an
override_template()
function allowing plugins to replace the content of any template loaded by CTFd - Changes to the email confirmation flow and making confirmation email resending user controlled.
- Challenges can now have max attempts set on a per challenge level
- Setup now automatically logs you in as an admin. Don't leave your CTFs unconfigured!
- Tests are now executed by TravisCI! Help out by adding tests for functionality!
- CTFd now has it's own Github organization!
- From a plugin you can replace most of the utils functions used by CTFd. This allows plugins to replace even more functionality within CTFd
- CTFd now has a concept of Hints!
- You can now customize the challenge editting modals in the admin panel
- There are now links to social media pages where you can follow CTFd to track updates.
- CTFd now has the ability to export and import data. This lets you save your CTFs as zip files and redeploy them again and again.
-
Challenge types
- This means CTFd now supports multiple kinds of challenges.
- Challenges are now modifiable with a plugin.
-
Solve types
- This means CTFd now supports multiple kinds of flags/keys.
- The flag/key logic is now modifiable with a plugin.
-
Plugins are now allowed a configuration page
-
The formerly massive admin.py is separated out into easier to work on chunks
-
Improved Dockerfile and associated docker-compose file
-
Fixes Python 3 compatibility
-
Fixes a variety of glitches reported by users
-
Always backup database before upgrading!
Implemented enhancements:
- 1.0.0 release! Things work!
- Manage everything from a browser
- Run Containers
- Themes
- Plugins
- Database migrations
Closed issues:
- Closed out 94 issues before tagging 1.0.0
Merged pull requests:
- Merged 42 pull requests before tagging 1.0.0