Closed pl4nty closed 1 year ago
Yes the site password is transmitted via a cookie. However there isn't currently any UI to set those cookies in ctfcli. For the time being I would disable the password and disable registration so no one can login to the authenticated parts.
Yeah, I ended up disabling the password. I'm happy write a PR for this if you want? Maybe something like
if config["config"]["site_password"]:
s.cookies["site_password"] = config["config"]["site_password"]
Sure a PR wolud be great! However, I would prefer a more generic solution to the problem instead of specific keys. Perhaps if you could define an entire cookies sub-section or a cookies dictionary?
Looks like ConfigParser doesn't parse [config.xyz]
, cookies = {'site_password': 'password'}
, or cookies['site_password'] = 'password'
, so I used a separate [cookies]
section instead
ctf challenge sync
,install
anddeploy
fail if a site password is configured. I noticed asite_password
cookie is sent in the web UI though, and manual API calls succeed with it (egcurl
)