CTFd#2003 - All numeric registration codes (CTFd#2004)

* fix: cast registration_code to string during register * test: add test to confirm numeric registration codes
DA-ETSIINF · Oct 11, 2021 · 3e6f635 · 3e6f635
1 parent 514ab2c
commit 3e6f635
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/CTFd/auth.py b/CTFd/auth.py
@@ -197,7 +197,7 @@ def register():
         website = request.form.get("website")
         affiliation = request.form.get("affiliation")
         country = request.form.get("country")
-        registration_code = request.form.get("registration_code", "")
+        registration_code = str(request.form.get("registration_code", ""))
 
         name_len = len(name) == 0
         names = Users.query.add_columns("name", "id").filter_by(name=name).first()
@@ -214,7 +214,7 @@ def register():
         if get_config("registration_code"):
             if (
                 registration_code.lower()
-                != get_config("registration_code", default="").lower()
+                != str(get_config("registration_code", default="")).lower()
             ):
                 errors.append("The registration code you entered was incorrect")
 

diff --git a/tests/users/test_auth.py b/tests/users/test_auth.py
@@ -464,3 +464,33 @@ def test_registration_code_required():
             assert r.status_code == 302
             assert r.location.startswith("http://localhost/challenges")
     destroy_ctfd(app)
+
+
+def test_registration_code_allows_numeric():
+    """
+    Test that registration code is allowed to be all numeric
+    """
+    app = create_ctfd()
+    with app.app_context():
+        # Set a registration code
+        set_config("registration_code", "1234567890")
+
+        with app.test_client() as client:
+            # Load CSRF nonce
+            r = client.get("/register")
+            resp = r.get_data(as_text=True)
+            assert "Registration Code" in resp
+            with client.session_transaction() as sess:
+                data = {
+                    "name": "user",
+                    "email": "[email protected]",
+                    "password": "password",
+                    "nonce": sess.get("nonce"),
+                }
+
+            # Attempt registration with numeric registration code
+            data["registration_code"] = "1234567890"
+            r = client.post("/register", data=data)
+            assert r.status_code == 302
+            assert r.location.startswith("http://localhost/challenges")
+    destroy_ctfd(app)