Allow teams with null passwords to create invite codes without settin…

…g their team password (CTFd#2548) * Allow teams with null passwords to create invite codes without setting their team password This loosens the fix implemented in CTFd#2485. Teams with NULL passwords can now generate invite codes that are signed with only the CTFd secret key. The original idea was to use both the secret key and team password to allow revocation of the invite by changing the password but this achieves the same effect as if the team sets a password, the invite generated with only the secret key will no longer work
SDKAAA · Jun 1, 2024 · 2715b48 · 2715b48
1 parent 2cf0aec
commit 2715b48
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 17 deletions.
diff --git a/CTFd/api/v1/teams.py b/CTFd/api/v1/teams.py
@@ -419,19 +419,6 @@ def post(self):
                 403,
             )
 
-        if team.password is None:
-            return (
-                {
-                    "success": False,
-                    "errors": {
-                        "": [
-                            "Please set a team password before generating an invite code"
-                        ]
-                    },
-                },
-                403,
-            )
-
         invite_code = team.get_invite_code()
         response = {"code": invite_code}
         return {"success": True, "data": response}

diff --git a/CTFd/models/__init__.py b/CTFd/models/__init__.py
@@ -679,8 +679,10 @@ def get_invite_code(self):
         if isinstance(secret_key, str):
             secret_key = secret_key.encode("utf-8")
 
-        team_password_key = self.password.encode("utf-8")
-        verification_secret = secret_key + team_password_key
+        verification_secret = secret_key
+        if self.password:
+            team_password_key = self.password.encode("utf-8")
+            verification_secret += team_password_key
 
         invite_object = {
             "id": self.id,
@@ -719,8 +721,10 @@ def load_invite_code(cls, code):
         team = cls.query.filter_by(id=team_id).first_or_404()
 
         # Create the team specific secret
-        team_password_key = team.password.encode("utf-8")
-        verification_secret = secret_key + team_password_key
+        verification_secret = secret_key
+        if team.password:
+            team_password_key = team.password.encode("utf-8")
+            verification_secret += team_password_key
 
         # Verify the team verficiation code
         verified = hmac(str(team.id), secret=verification_secret) == invite_object["v"]