Deployment fails if site password is set

CTFd / ctfcli

ctfcli is a tool to manage Capture The Flag events and challenges

https://ctfd.io/

Apache License 2.0

165 stars 67 forks source link

Deployment fails if site password is set #111

Closed pl4nty closed 1 year ago

pl4nty commented 1 year ago

ctf challenge sync, install and deploy fail if a site password is configured. I noticed a site_password cookie is sent in the web UI though, and manual API calls succeed with it (eg curl)

ColdHeat commented 1 year ago

Yes the site password is transmitted via a cookie. However there isn't currently any UI to set those cookies in ctfcli. For the time being I would disable the password and disable registration so no one can login to the authenticated parts.

pl4nty commented 1 year ago

Yeah, I ended up disabling the password. I'm happy write a PR for this if you want? Maybe something like

if config["config"]["site_password"]:
  s.cookies["site_password"] = config["config"]["site_password"]

https://github.com/CTFd/ctfcli/blob/45ffa11f613feb6d279c01fee4c83b5f6fd074e7/ctfcli/utils/config.py#L82-L83

ColdHeat commented 1 year ago

Sure a PR wolud be great! However, I would prefer a more generic solution to the problem instead of specific keys. Perhaps if you could define an entire cookies sub-section or a cookies dictionary?

pl4nty commented 1 year ago

Looks like ConfigParser doesn't parse [config.xyz], cookies = {'site_password': 'password'}, or cookies['site_password'] = 'password', so I used a separate [cookies] section instead