@ColdHeat ColdHeat released this Jan 12, 2019 · 5 commits to master since this release

Assets 2

2.0.3 / 2019-01-12

Security Release

This release resolves a security issue that allowed malicious users to hijack admin browser sessions in certain browsers under certain configurations.

The implemented fix is to require the new CSRF-Token header on state-changing requests with a Content-Type of application/json.
The same nonce used for standard POST requests is re-used for the CSRF-Token header.

Because of the necessary changes to the API, the previously used call to fetch() in themes should now be replaced with CTFd.fetch().

If you have questions or need help upgrading, please reach out in the CTFd Slack


  • Require CSRF-Token header on all API requests.
  • Require CSRF protection on all HTTP methods except GET, HEAD, OPTIONS, and TRACE.
  • Default session cookie to SameSite=Lax
  • Send initial user information request to MajorLeagueCyber over HTTPS


  • Fix update_check() logic so that we don't accidentally remove the update notification.


  • Remove explicit usage of script_root in public JS.
    • In custom themes, use the CTFd.fetch() function (defined in CTFd.js) and properly register the url root and CSRF nonce in base.html as shown below:
    var script_root = "{{ request.script_root }}";
    var csrf_nonce = "{{ nonce }}";
    CTFd.options.urlRoot = script_root;
    CTFd.options.csrfNonce = csrf_nonce;
  • Reduce required amount of parameters required for static theme files.
    • i.e. url_for('views.themes') no longer requires the themes parameter. It now defaults to the currently in-use theme.