Tags: CTFd/CTFd
Tags
Mark 3.7.7 (#2747) # 3.7.7 / 2025-04-14 **General** - Added ability to denylist/blacklist email domains from registering - Hints can now include an optional title that is shown to users before unlocking **Admin Panel** - Challenge files now show the stored sha1sum **Deployment** - Fixed issue where the `/api/v1/scoreboard/top/<count>` endpoint wouldn't cache different count values properly - The `/api/v1/scoreboard/top/<count>`endpoint will now return at most the top 50 accounts - Updated gunicorn to 23.0.0 - Updated Jinja2 to 3.1.6
Mark 3.7.6 (#2710) # 3.7.6 / 2025-02-19 **Security** - Added the `TRUSTED_HOSTS` configuration to more easily restrict CTFd to valid host names **General** - Added language switcher on the main navigation bar - Removed autocomplete=off from login, register, and reset password forms **Plugins** - Challenge type plugins can now raise `ChallengeCreateException` or `ChallengeUpdateException` to show input validation messages - Plugins specifying a config route will now appear in the Admin Panel under the Plugins section **Translations** - Add Romanian, Greek, Finnish, Slovenian, Swedish languages
Mark 3.7.5 (#2686) # 3.7.5 / 2024-12-27 **Security** - Change confirmation and reset password emails to be single use instead of only expiring in 30 minutes **General** - Fix issue where users could set their own bracket after registration - If a user or team do not have a password set we allow setting a password without providing a previous password confirmation - Fix issue where dynamic challenges did not return their attribution over the API - Language selection is now available in the main theme navigation bar **Admin Panel** - A point breakdown graph showing the amount of challenge points allocated to each category has been added to the Admin Panel - Bracket ID and Bracket Name have been added to CSV scoreboard exports - Fix issue with certain interactions in the Media Library **API** - Swagger specification has been updated to properly validate - `/api/v1/flags/types` and `/api/v1/flags/types/<type_name>` have been seperated into two seperate controllers **Deployment** - IP Tracking has been updated to only occur if we have not seen the IP before or on state changing methods - Bump dependencies for `cmarkgfm` and `jinja2`
Mark 3.7.4 (#2621) # 3.7.4 / 2024-10-08 **Security** - Validate email length to be less than 320 chars to prevent Denial of Service in email validation **General** - Add attribution field to Challenges **Admin Panel** - Display brackets in the Admin Panel **Themes** - Display brackets for users/teams on listing pages and public/private pages - Fix miscellaneous issues in core-beta - Adds dark mode to core-beta theme - Fix issue with long titles in challenge buttons - Adds `type` and `extra` arguments to `Assets.js()` and default `defer` to `False` as `type="module"` automatically implies defer - ECharts behavior for some graphs in core-beta can now be overriden using the following window objects `window.scoreboardChartOptions`, `window.teamScoreGraphChartOptions`, `window.userScoreGraphChartOptions` - Update the scoreboard score graph to reflect the current active bracket changes **Deployment** - Add `.gitattributes` to keep LF line endings on .sh files under Windows - Fix issues where None values are not cast to empty string - Bump dependencies for `pybluemonday`, `requests`, and `boto3`
Mark 3.7.1 (#2549) # 3.7.1 / 2024-05-31 **Admin Panel** - The styling of the Config Panel has been updated to better organize different settings - When switching user modes via the Admin Panel, all teams will now be removed - Fix issues where importing CSVs comprised of JSON entries would fail - Add `serializeJSON` function back into the Admin Panel **API** - The `/api/v1/exports/raw` API endpoint has been added to allow for exports to be generated via the API - Update the ScoreboardDetail endpoint (`/api/v1/scoreboard/top/<count>`) to return account URL, score, and bracket - Add a query parameter to ScoreboardDetail endpoint (`/api/v1/scoreboard/top/<count>`) to filter by bracket - Return `function` field for DynamicValue challenges data read **General** - Add Italian and Vietnamese languages - Switch to Crowdin for translations **Themes** - Add `defer` parameter to `Assets.js()` to allow controlling the defer attribute of inserted `<script>` tags **Plugins** - Plugins can now define a `config` entry in `config.json` to define a template to embed into the Config Panel - Add the `make_cache_key_with_query_string` to allow for caching based on query string arguments **Deployment** - MariaDB version provided in docker-compose.yml has been updated to `10.11` - Static assets (theme files, static files) will now return a Cache-Control header with a `max-age` of 3600 - Add the `/debug` endpoint to show CTFd debugging information - Currently showing the IP address that CTFd is seeing for the request and the request headers - `/debug` will only be enabled if the `SAFE_MODE` config is enabled
Mark 3.6.1 (#2438) # 3.6.1 / 2023-12-12 **Security** - Fix an issue where users could bypass Score Visibility and see a user's score/place when not allowed by Admins **General** - Add Slovak, Japanese, Brazillian Portugese translations - Update Chinese translation - Fix Dynamic challenges not showing the Next Challenge **API** - Add `email` as a `field` to query to `/api/v1/users` and `/api/v1/teams` to allow searching via email address for Admins - Accept multipart/form-data with token auth for file upload to `/api/v1/files` - Always allow a user/team to see their own score when querying their own self endpoints regardless of Score Visibility - A user can always calculate their score regardless of any setting because they can simply sum all of their challenges **Admin Panel** - Fix an issue where polymorphic tables (i.e. solves) could not be CSV exported correctly **Themes** - When using core-beta, `meta` tags can now be inserted into pages from render_template calls **Deployment** - Fix an issue where S3 uploads would not work if the server's timezone was not set to UTC - Update gevent dependency to `23.9.1`
Mark 3.6.0 (#2380) # 3.6.0 / 2023-08-21 **General** - Translations support for Spanish, Polish, German, Chinese - If you wish to fix or maintain a language translation please join at CTFd's public [POEditor page](https://poeditor.com/join/project/p5jhdcrlm7). - Add a total user registration limit option - Dynamic value challenges can now choose between linear and logarithmic decay functions - Free hints are now visible by unauthenticated users if challenges are visible by unauthenticated users - Fix issue where a custom field named affiliation or website prevented registration - No longer special case "Affiliation" or "Website" as custom field titles. Previously custom fields with those titles would set the user's affiliation or website but this behavior has been removed. **Admin Panel** - Challenge Preview has been improved to support arbitrary custom themes - Long flags in the Admin Panel are now truncated but can be expanded and copied - Add UI to mark incorrect submissions as correct - Add the `discard` type for submissions - Add `PATCH /api/v1/submissions/[submission_id]` to mark submissions as correct - Add section in the Config Panel to configure `HTML_SANITIZATION` - Setting `HTML_SANITIZATION` to true in `config.ini` cannot be disabled via the Admin Panel - Add wildcard for email whitelisting **Deployment** - Add new envvar `SKIP_DB_PING` to instruct the CTFd Docker image to not test if the database server is available - Add new config `AWS_S3_ADDRESSING_STYLE` - Support selecting the [S3 addressing style](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-bucket-intro.html#access-bucket-console-ex). It defaults to "auto" as when it's not set, but can also be set to `virtual` or `path` - Add new config `AWS_S3_CUSTOM_DOMAIN` which specifies a domain that replaces the default one in presigned download URLs - Required for certain S3 implementations - Flask and Werkzeug have been upgraded to v2.0.3. Other dependencies have been updated for compatability. - SQLAlchemy has been updated to v1.4. - PyMySQL has been upgraded to v1.0.2. - The `flask` cli tool is now offered as an alternative to the `manage.py` script. - gzip compression is now enabled in the provided nginx configuration **API** - API tokens now have a description field - API tokens now start with a `ctfd_` prefix to make them easier to identify - `GET /api/v1/hints/[hint_id]` will now return hint information for free hints for unauthenticated users if challenges are visible **Themes** - core-beta is now provided in all CTFd instances - core-beta is the default theme during setup
PreviousNext