2.0.3 / 2019-01-12
Security Release
This release resolves a security issue that allowed malicious users to hijack admin browser sessions in certain browsers under certain configurations.
The implemented fix is to require the new CSRF-Token
header on state-changing requests with a Content-Type of application/json.
The same nonce used for standard POST requests is re-used for the CSRF-Token
header.
Because of the necessary changes to the API, the previously used call to fetch()
in themes should now be replaced with CTFd.fetch()
.
If you have questions or need help upgrading, please reach out in the CTFd Slack
Security
- Require
CSRF-Token
header on all API requests. - Require CSRF protection on all HTTP methods except
GET
,HEAD
,OPTIONS
, andTRACE
. - Default session cookie to
SameSite=Lax
- Send initial user information request to MajorLeagueCyber over HTTPS
General
- Fix
update_check()
logic so that we don't accidentally remove the update notification.
Themes
- Remove explicit usage of
script_root
in public JS.- In custom themes, use the
CTFd.fetch()
function (defined inCTFd.js
) and properly register the url root and CSRF nonce inbase.html
as shown below:
var script_root = "{{ request.script_root }}"; var csrf_nonce = "{{ nonce }}"; CTFd.options.urlRoot = script_root; CTFd.options.csrfNonce = csrf_nonce;
- In custom themes, use the
- Reduce required amount of parameters required for static theme files.
- i.e.
url_for('views.themes')
no longer requires the themes parameter. It now defaults to the currently in-use theme.
- i.e.