VCGithubCode
diff --git a/‎content/pages/02-development-environments/08-bash-shell.markdown‎
Lines changed: 5 additions & 0 deletions b/‎content/pages/02-development-environments/08-bash-shell.markdown‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎content/pages/02-development-environments/12-tmux.markdown‎
Lines changed: 4 additions & 0 deletions b/‎content/pages/02-development-environments/12-tmux.markdown‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎content/pages/04-web-development/46-webhooks.markdown‎
Lines changed: 4 additions & 0 deletions b/‎content/pages/04-web-development/46-webhooks.markdown‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎content/pages/04-web-development/57-sql-injection.markdown‎
Lines changed: 5 additions & 0 deletions b/‎content/pages/04-web-development/57-sql-injection.markdown‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎content/pages/10-working/01-event-streams.markdown‎
Lines changed: 2 additions & 1 deletion b/‎content/pages/10-working/01-event-streams.markdown‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎content/pages/examples/flask/flask-app-badrequest.markdown‎
Lines changed: 5 additions & 6 deletions b/‎content/pages/examples/flask/flask-app-badrequest.markdown‎
Lines changed: 5 additions & 6 deletions
diff --git a/‎content/pages/examples/flask/flask-app-flask.markdown‎
Lines changed: 81 additions & 28 deletions b/‎content/pages/examples/flask/flask-app-flask.markdown‎
Lines changed: 81 additions & 28 deletions
diff --git a/‎content/pages/examples/flask/flask-app-headers.markdown‎
Lines changed: 1 addition & 1 deletion b/‎content/pages/examples/flask/flask-app-headers.markdown‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎content/pages/examples/flask/flask-app-immutabledict.markdown‎
Lines changed: 3 additions & 5 deletions b/‎content/pages/examples/flask/flask-app-immutabledict.markdown‎
Lines changed: 3 additions & 5 deletions
diff --git a/‎content/pages/examples/flask/flask-cli-appgroup.markdown‎
Lines changed: 6 additions & 8 deletions b/‎content/pages/examples/flask/flask-cli-appgroup.markdown‎
Lines changed: 6 additions & 8 deletions
@@ -226,3 +226,8 @@ to try to avoid as you work with the shell or write scripts.
   open new Bash shells. On many systems you can easily cut down the startup
   time for the shell which can be unnecessarily sluggish.
 
+* [Bash HTTP monitoring dashboard](https://raymii.org/s/software/Bash_HTTP_Monitoring_Dashboard.html)
+  ([source code](https://github.com/RaymiiOrg/bash-http-monitoring))
+  is a useful application fully written in Bash shell scripts that
+  monitors the health of one or more websites to make sure they are
+  up and running.
@@ -28,6 +28,10 @@ easier to use many shells at once and attaching to both local and remote
   tmux+Vim user myself, I can attest to how great these two tools complement
   each other.
 
+* [Writing & Coding Workflow](http://jacobzelko.com/workflow/) shows one 
+  developer's configuration that combines [Vim](/vim.html) and several plugins
+  with tmux for a productive setup.
+
 * [Making tmux Pretty and Usable - A Guide to Customizing your tmux.conf](http://www.hamvocke.com/blog/a-guide-to-customizing-your-tmux-conf/)
 
 * [Tmux Pairing Anywhere: On Your Box](http://iamvery.com/2013/11/16/tmux-pairing-anywhere-on-your-box.html)
 
@@ -32,6 +32,10 @@ otherwise independent web applications.
   for how to receive an HTTP POST webhook request, as well as how to test
   it locally with Ngrok.
 
+* [Webhooks for Beginners - Full Course](https://www.youtube.com/watch?v=41NOoEz3Tzc)
+  is an entire free video course that shows both how to use and implement
+  webhooks into applications.
+
 * [Should you build a webhooks API?](https://brandur.org/webhooks)
 
 * [Webhooks do’s and dont’s: what we learned after integrating +100 APIs](https://restful.io/webhooks-dos-and-dont-s-what-we-learned-after-integrating-100-apis-d567405a3671)
 
@@ -24,3 +24,8 @@ can affect both [relational databases](/databases.html) and
 * [Securing your site like it's 1999](https://24ways.org/2018/securing-your-site-like-its-1999/)
   covers a bunch of common web application vulnerabilities including
   SQL injection.
+
+* [Automating Blind Sql Injection](https://bad-jubies.github.io/Blind-SQLi-1/)
+  shows how to use Python to execute SQL injection on the example
+  [Damn Vulnerable Web Application](https://github.com/digininja/DVWA)
+  project.
@@ -54,4 +54,5 @@ keep up with the constant flood of data from the source of an event stream.
   is specific to AWS Kinesis but it explains how Amazon uses event
   streams at scale to run and coordinate a significant number of their 
   services. When their event streams service went down... it took a
-  whole lot of other stuff down at the same time.
+  whole lot of other stuff down at the same time. There is also some 
+  [additional analysis in this post by an independent developer](https://ryanfrantz.com/posts/aws-kinesis-outage-analysis.html).
@@ -266,22 +266,21 @@ The code is open sourced under the
 ~~from werkzeug.exceptions import BadRequest, Forbidden, HTTPException, NotFound
 
 from indico.util.i18n import _
-from indico.util.string import to_unicode
 
 
 def get_error_description(exception):
     try:
         description = exception.description
     except AttributeError:
-        return to_unicode(exception.message)
+        return str(exception)
     if isinstance(exception, Forbidden) and description == Forbidden.description:
-        return _(u"You are not allowed to access this page.")
+        return _("You are not allowed to access this page.")
     elif isinstance(exception, NotFound) and description == NotFound.description:
-        return _(u"The page you are looking for doesn't exist.")
+        return _("The page you are looking for doesn't exist.")
 ~~    elif isinstance(exception, BadRequest) and description == BadRequest.description:
-        return _(u"The request was invalid or contained invalid arguments.")
+        return _("The request was invalid or contained invalid arguments.")
     else:
-        return to_unicode(description)
+        return str(description)
 
 
 class IndicoError(Exception):
 
@@ -19,7 +19,7 @@ application's functionality, including URL rounting,
 and <a href="/flask-app-immutabledict-examples.html">ImmutableDict</a>
 are several other callables with code examples from the same `flask.app` package.
 
-You should read up on these subjects along with these `Flask` examples:
+These subjects go along with the `Flask` code examples:
 
 * [web development](/web-development.html) and [web design](/web-design.html)
 * [Flask](/flask.html) and [web framework](/web-frameworks.html) concepts
@@ -88,34 +88,82 @@ as-is to run CTF events, or modified for custom rules for related
 scenarios. CTFd is open sourced under the
 [Apache License 2.0](https://github.com/CTFd/CTFd/blob/master/LICENSE).
 
-[**CTFd / manage.py**](https://github.com/CTFd/CTFd/blob/master/././manage.py)
+[**CTFd / tests / test_themes.py**](https://github.com/CTFd/CTFd/blob/master/./tests/test_themes.py)
 
 ```python
-# manage.py
-~~from flask import Flask
-from flask_sqlalchemy import SQLAlchemy
-from flask_script import Manager
-from flask_migrate import Migrate, MigrateCommand
-from CTFd import create_app
-from CTFd.utils import get_config as get_config_util, set_config as set_config_util
-from CTFd.models import *
+# test_themes.py
+
+from flask import request
+from jinja2.sandbox import SecurityError
+from werkzeug.test import Client
+
+from CTFd.utils import get_config
+from tests.helpers import create_ctfd, destroy_ctfd, gen_user, login_as_user
+
+
+def test_themes_run_in_sandbox():
+    app = create_ctfd()
+    with app.app_context():
+        try:
+            app.jinja_env.from_string(
+                "{{ ().__class__.__bases__[0].__subclasses__()[40]('./test_utils.py').read() }}"
+            ).render()
+        except SecurityError:
+            pass
+        except Exception as e:
+            raise e
+    destroy_ctfd(app)
+
+
+def test_themes_cant_access_configpy_attributes():
+    app = create_ctfd()
+    with app.app_context():
+        assert app.config["SECRET_KEY"] == "AAAAAAAAAAAAAAAAAAAA"
+        assert (
+            app.jinja_env.from_string("{{ get_config('SECRET_KEY') }}").render()
+            != app.config["SECRET_KEY"]
+        )
+    destroy_ctfd(app)
+
 
-app = create_app()
+def test_themes_escape_html():
 
-manager = Manager(app)
-manager.add_command("db", MigrateCommand)
+
+## ... source file abbreviated to get to Flask examples ...
+
+
+
+            r = client.get("/challenges")
+            assert r.status_code == 200
+            assert "Challenges" in r.get_data(as_text=True)
+
+            r = client.get("/scoreboard")
+            assert r.status_code == 200
+            assert "Scoreboard" in r.get_data(as_text=True)
+    destroy_ctfd(app)
 
 
-def jsenums():
-    from CTFd.constants import JS_ENUMS
-    import json
-    import os
+def test_that_request_path_hijacking_works_properly():
+    app = create_ctfd(setup=False, application_root="/ctf")
+    assert app.request_class.__name__ == "CTFdRequest"
+    with app.app_context():
+        with app.test_request_context("/challenges"):
+            assert request.path == "/ctf/challenges"
+    destroy_ctfd(app)
 
-    path = os.path.join(app.root_path, "themes/core/assets/js/constants.js")
+    app = create_ctfd()
+    assert app.request_class.__name__ == "CTFdRequest"
+    with app.app_context():
+        with app.test_request_context("/challenges"):
+            assert request.path == "/challenges"
 
-    with open(path, "w+") as f:
-        for k, v in JS_ENUMS.items():
-            f.write("const {} = Object.freeze({});".format(k, json.dumps(v)))
+~~        from flask import Flask
+
+~~        test_app = Flask("test")
+        assert test_app.request_class.__name__ == "Request"
+        with test_app.test_request_context("/challenges"):
+            assert request.path == "/challenges"
+    destroy_ctfd(app)
 
 
 
@@ -215,7 +263,6 @@ from sqlalchemy import event
 from sqlalchemy.engine import Engine
 from sqlalchemy.exc import OperationalError, ProgrammingError
 
-from flaskbb._compat import iteritems, string_types
 from flaskbb.extensions import (alembic, allows, babel, cache, celery, csrf,
                                 db, debugtoolbar, limiter, login_manager, mail,
                                 redis_store, themes, whooshee)
@@ -249,6 +296,7 @@ from .forum import views as forum_views  # noqa
 from .management import views as management_views  # noqa
 from .user import views as user_views  # noqa
 
+
 logger = logging.getLogger(__name__)
 
 
@@ -740,8 +788,8 @@ def on_disconnect():
     disconnected = '/'
 
 
-@socketio.on('connect', namespace='/test')
-def on_connect_test():
+@socketio.event(namespace='/test')
+def connect():
     send('connected-test')
 
 
@@ -789,10 +837,15 @@ def on_connect_test():
         self.assertEqual(len(received), 1)
         self.assertEqual(received[0]['args'], {'connected': 'foo'})
 
-
-if __name__ == '__main__':
-    unittest.main()
-
+    def test_encode_decode(self):
+        client = socketio.test_client(app)
+        client.get_received()
+        data = {'foo': 'bar', 'invalid': socketio}
+        self.assertRaises(TypeError, client.emit, 'my custom event', data,
+                          callback=True)
+        data = {'foo': 'bar'}
+        ack = client.emit('my custom event', data, callback=True)
+        data['foo'] = 'baz'
 
 
 ## ... source file continues with no further Flask examples...
 
@@ -22,7 +22,7 @@ Flask web applications.
 and <a href="/flask-app-immutabledict-examples.html">ImmutableDict</a>
 are several other callables with code examples from the same `flask.app` package.
 
-These topics are also useful while reading the `Headers` examples:
+These subjects go along with the `Headers` code examples:
 
 * [web development](/web-development.html) and [web design](/web-design.html)
 * [Flask](/flask.html) and [web framework](/web-frameworks.html) concepts
 
@@ -40,8 +40,6 @@ The code is open sourced under the
 ```python
 # config.py
 
-from __future__ import absolute_import, unicode_literals
-
 import ast
 import codecs
 import os
@@ -86,8 +84,8 @@ DEFAULTS = {
 
         allowed |= set(INTERNAL_DEFAULTS)
     for key in set(data) - allowed:
-        warnings.warn('Ignoring unknown config key {}'.format(key))
-    return {k: v for k, v in data.iteritems() if k in allowed}
+        warnings.warn(f'Ignoring unknown config key {key}')
+    return {k: v for k, v in data.items() if k in allowed}
 
 
 def load_config(only_defaults=False, override=None):
@@ -112,7 +110,7 @@ def load_config(only_defaults=False, override=None):
 ~~    return ImmutableDict(data)
 
 
-class IndicoConfig(object):
+class IndicoConfig:
 
     __slots__ = ('_config', '_exc')
 
 
@@ -35,8 +35,6 @@ The code is open sourced under the
 ```python
 # util.py
 
-from __future__ import unicode_literals
-
 import traceback
 from importlib import import_module
 
@@ -56,16 +54,16 @@ def _create_app(info):
 class IndicoFlaskGroup(FlaskGroup):
 
     def __init__(self, **extra):
-        super(IndicoFlaskGroup, self).__init__(create_app=_create_app, add_default_commands=False,
-                                               add_version_option=False, set_debug_flag=False, **extra)
+        super().__init__(create_app=_create_app, add_default_commands=False, add_version_option=False,
+                         set_debug_flag=False, **extra)
         self._indico_plugin_commands = None
 
     def _load_plugin_commands(self):
         assert False
 
     def _wrap_in_plugin_context(self, plugin, cmd):
         cmd.callback = wrap_in_plugin_context(plugin, cmd.callback)
-        for subcmd in getattr(cmd, 'commands', {}).viewvalues():
+        for subcmd in getattr(cmd, 'commands', {}).values():
             self._wrap_in_plugin_context(plugin, subcmd)
 
     def _get_indico_plugin_commands(self, ctx):
@@ -77,12 +75,12 @@ class IndicoFlaskGroup(FlaskGroup):
             ctx.ensure_object(ScriptInfo).load_app()
             cmds = named_objects_from_signal(signals.plugin.cli.send(), plugin_attr='_indico_plugin')
             rv = {}
-            for name, cmd in cmds.viewitems():
+            for name, cmd in cmds.items():
                 if cmd._indico_plugin:
                     self._wrap_in_plugin_context(cmd._indico_plugin, cmd)
                 rv[name] = cmd
         except Exception as exc:
-            if 'No indico config found' not in unicode(exc):
+            if 'No indico config found' not in str(exc):
                 click.echo(click.style('Loading plugin commands failed:', fg='red', bold=True))
                 click.echo(click.style(traceback.format_exc(), fg='red'))
             rv = {}
@@ -105,7 +103,7 @@ class LazyGroup(click.Group):
 
     def __init__(self, import_name, **kwargs):
         self._import_name = import_name
-        super(LazyGroup, self).__init__(**kwargs)
+        super().__init__(**kwargs)
 
     @cached_property
     def _impl(self):