✋ Heads-ups

The heads-ups from 1.8.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

The heads-up from 1.8.3 also still apply, please read this release's release notes as well.

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

🐛 Bug fixes

• #4659 - Fix the sanity check on the backup download endpoint to check against full paths.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release!

🔗 More information

• Commits
• As this is a bugfix release, there were no release candidates

✋ Heads-ups

The heads-ups from 1.8.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

The heads-up from 1.8.3 also still apply, please read this release's release notes as well.

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

✨ Improvements

• Explicitly declare in-memory storage for rate limiter. Gets rid of warnings under latest flask-limiter versions.

🐛 Bug fixes

• #4656 - Fix cookie suffix creation on the frontend to properly work with multi-level subpaths. The wrong suffix caused OctoPrint's core UI not to be able to extract the CSRF token when running behind a reverse proxy with a multi-level prefix path, rendering the UI non functional.
• #4659 - Fix the sanity check on the backup download API so that backups created through the CLI or third party plugins named arbitrarily will be downloadable by admins.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release!

🔗 More information

• Commits
• As this is a bugfix release, there were no release candidates

✋ Heads-ups

The heads-ups from 1.8.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

The heads-up from 1.8.3 also still apply, please read this release's release notes as well.

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

✨ Improvements

• Added a new reverse proxy test page under /reverse_proxy_test. This can be used to determine whether you have configured any reverse proxies that are between you and OctoPrint correctly, and if not where the error might lie. This should help in debugging issues caused by misconfigured reverse proxies and the CSRF protection introduced in 1.8.3.
• Switched the SameSite setting on cookies to Lax. Strict was causing issues for users who navigate to their OctoPrint instance using a custom start page, since SameSite=Strict would suppress all cookies in that case, forcing you to login again. Please note that you can switch it to Strict yourself via the server.cookies.samesite configuration option, if you so desire for slightly increased security, and don't need the ability to access your OctoPrint instance from a link on another page while still staying logged in.

🐛 Bug fixes

• #4648 - Fix passive login with global API key. The _api user could not be looked up for cookie signatures, this has been rectified.
• #4648 - Invalid API keys now correctly report that they are invalid instead of being treated like a guest user.
• #4648 - Guest users on the API (no browser context, no API key) are now properly handled and no longer assumed to be a browser session, thus triggering CSRF protection.
• #4650 - Fix setting CSRF cookie on cached responses. This bug could prevent the UI from working if it was served from the browser's cache in combination with a 304 Not Modified response from the server, instead of being freshly generated.
• #4653 - Fix handling of reauth requests on the websocket with reason stale, also send a stale reauth request in case of attempting to auth with an unknown user/session combo.
• Fixed fallback to pbkdf2_sha256 if argon2 backend is missing for password hashing. The argon2_cffi dependency is still required and should be automatically installed on installation of OctoPrint 1.8.3+, but if for whatever reason that (partially) fails, OctoPrint will now gracefully fallback to a different password hashing algorithm while logging a warning about that, instead of just spewing errors.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release!

🔗 More information

• Commits
• As this is a bugfix release, there were no release candidates

✋ Heads-ups

The heads-ups from 1.8.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

Important notice about downgrading from this version

With OctoPrint 1.8.3, the password hashing has been changed to use the Argon2 hashing algorithm. Any existing accounts will be migrated to the new hashing format on their first login under 1.8.3 or later, and the accessControl.salt value will be stripped from the config once all accounts have been migrated as it is no longer needed. This however means that downgrading to an earlier version will result in no longer being able to login, since earlier versions of OctoPrint 1.8.3 have no idea what to do about the Argon2 hashes and require accessControl.salt as well.

However, OctoPrint 1.8.3 and later come prepared for this scenario and will create a backup of both your users.yaml and config.yaml files, to make sure you can manually roll those back should for whatever reason you need to downgrade to a version prior 1.8.3. Find out more in the FAQ.

Plugin authors: Check out the changes due to OctoPrint's new CSRF protection

To protect OctoPrint against CSRF attacks against the non CORS affected upload endpoints, in case of browser session based authorization the API is protected using the Double Submit Cookie mitigation strategy. You can read more about how this is implemented and how it might affect your frontend code in the docs.

If your plugin happens to implemented the BlueprintPlugin mixin, please also read up on the changes on that that relate to CSRF protection and what steps you must take to get rid of warnings you will now see in the logs otherwise. You can find the updated docs on the BlueprintPlugin mixin here.

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

🔒 Security fixes

• Severity High (8.3): It was possible to use Cross-Site Request Forgery combined with phishing to trick an admin user into visiting a malicious site that then could install a malicious plugin on the OctoPrint server using the logged-in admin user's browser credentials. This attack vector has now been closed. The API will now require to be sent a CSRF cookie provided by the server on initial page load as well as a CSRF header containing the same value with every API request that is not GET, HEAD or OPTIONS. Please read more about this in the docs.
• Severity Medium (6.1): The "Settings Manage" permission allowed user management. This has historic reasons as it was used as the original "Admin" permission, however its description does not include this kind of access and thus it could have caused unintentional access in the field, allowing a "Settings Admin" user to elevate their own permissions or change those of others. All kinds of user management now require the "Admin" permission. A future version of OctoPrint will also drop the confusing Settings Admin permission, see #4641 for the roadmap for this.
• Severity Medium (6): A malicious admin user could upload a specially crafted language pack containing one or more symlinks to files on the OctoPrint server, which would then be contained in created backups and could thus be extracted that way. This could be used by a malicious admin user to extract files from the OctoPrint server readable by the system user the OctoPrint server is running under, including OS files outside the scope of OctoPrint. This has been fixed.
• Severity Medium (5.3): Improved security of the password change dialog in as that it now requires you to enter your current password before allowing you to set a new one. Admins are still able to change the passwords of users without this requirement. See also CVE-2022-2930.
• Severity Medium (5.3): Fixed a buggy permission role that assigned the ability to enable/disable/uninstall plugins to users with the List Plugins permission. Note that installing plugins was not also included in this. This could have been used by read-only or operator users to enable, disable or uninstall already installed plugins, without the need for an administrator. See also CVE-2022-3068.
• Severity Medium (4.4): OctoPrint's login sessions will now expire after a short time (15min), unless kept alive by keeping a tab open. The remember me cookie will expire after 90 days. Sessions and the remember me cookie will also become invalid on password change. This prevents the reuse of old session credentials or remember me cookies somehow obtained by an attacker (e.g. through a compromised browser or a forgotten on a shared system). See also CVE-2022-2888
• Severity Medium (4.2): The password hashing has been switched to Argon2. Existing password hashes will be migrated transparently to this new hashing approach on login of the individual accounts, a backup of the old file will be made (and automatically removed again in a future version). Important: That means that you can not downgrade easily from 1.8.3 to a version prior. If you need to downgrade, please see this FAQ entry.
• Severity Low (3.7): A rate limit on the login dialog has been introduced to thwart attempts at bruteforcing a working username/password combo. After a number of failed attempts to login (3/minute, 5/10 minutes, 10/hour), you are denied further attempts until the hit rate limit expires. It will extend on each further failed attempt. The rate limit is tracked per client IP and will reset on server restart. See also CVE-2022-2822.
• Severity Low (3.7): Fixed a bug that allowed someone to upload a .gcode file but then rename it to .html or similar through OctoPrint's move file functionality. This could have been used to launch a phishing or scripting attack on an unsuspecting user of the same OctoPrint instance. This has now been fixed as in that the move file feature only supports moving/renaming to file extensions that are supported for upload as well. See also CVE-2022-2872.
• Severity Low (3.5): A user with the "Files Upload" permission but without the "Files Delete" permission was able to overwrite and thus effectively delete files. OctoPrint will now require the "Files Delete" permission to perform an overwrite.
• Severity Low (3.5): While logs where not displayed on the terminal tab without the "Monitor Terminal" permission, they were still sent on the web socket. This has been rectified.
• Severity Informational (0.0): It was possible to download files from the backup download endpoint (accessible only by admins) that weren't backups. This could possibly have been abused by a malicious admin user that first got something there somehow that wasn't a backup and then extracting it this way. While the question as to why that would be a preferable approach to extract data from a server you have full admin access to remains unanswered, this no longer is possible now regardless.
• Severity Informational (0.0): Limited folder config in UI to uploads, timelapses and watched folder. Everything else needs to be configured through config.yaml.

🐛 Bug fixes

• Fixed a bug that prevented user creation without any attached groups. If no group was attached, OctoPrint so far forced the default user group "Operator" to be attached to the user. This has been solved.
• Fixed a styling issue in the appearance settings.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release!

🔗 More information

• Commits
• As this is a bugfix release, there were no release candidates

✋ Heads-ups

The heads-ups from 1.8.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

🔒 Security fixes

• Fixed an open redirect vulnerability in the login dialog. An attacker could send a login URL with a specially crafted redirect parameter pointing to an external page under their control to an instance admin that if used to login would redirect this URL, allowing the attacker to start a phishing attack. This is not directly exploitable by the attacker, but after a successful phishing attack and thus obtained credentials could be used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). Thanks to "Mizu" for reporting and disclosing this responsibly.

🐛 Bug fixes

• Pinned the Flask dependency to 2.1. The latest release requires a version of werkzeug that we currently cannot upgrade to due to yet another dependency, and there seem to have been cases in the field where users managed to update Flask regardless of the werkzeug version pin in OctoPrint, which caused runtime errors. This has not been successfully reproduced in the development environment, but a version pin here is a sensible precaution.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release!

Also a big thank you to Mizu for responsibly disclosing the security vulnerability that was fixed in this release.

🔗 More information

• Commits
• As this is a bugfix release, there were no release candidates

✋ Heads-ups

The heads-ups from 1.8.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

🔒 Security fixes

• Fixed a cross-site scripting vulnerability in the user and group managers. An attacker could talk an admin into creating a user or group with a specially crafted name containing executable HTML/JS, and then into deleting those again, triggering the cross-site scripting issue in the deletion confirmation dialog. A stealing of credentials through this should not have been possible under 1.8.0, however in versions before 1.8.0 the stealing of the "remember me" token would have been possible through this attack vector. This could have then been used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). Thanks to Akshay Ravi for reporting and disclosing this reponsibly.

🐛 Bug fixes

• #4516 - Fix a redirect loop on the login dialog if the Guests group was assigned the Read-Only group as a subgroup.
• Gracefully handle errors scanning /dev for serial ports. Solves an issue with Octo4a on some Android devices.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release!

Also a big thank you to User avatar Akshay Ravi for responsibly disclosing the security vulnerability that was fixed in this release.

🔗 More information

• Commits
• As this is a bugfix release, there were no release candidates

✋ Heads-ups

💥 OctoPrint 1.8.0 drops Python 2 support!

As previously announced on the OctoBlog and in OctoPrint On Air #43, OctoPrint 1.8.0 drops Python 2 support. In order to be able to install/update to it, you need to be running OctoPrint under Python 3 already, e.g. as shipped on OctoPi 0.18.0. Installing on Python 2 will fail. The Software Updater will also be redirected to a new OctoPrint Legacy repository for checking for OctoPrint updates if it detects that you are still running Python 2. As outlined in the blog post and the vlog, there are no more updates for OctoPrint 1.7/Python 2 planned. Update now or you will be left behind, including for most security fixes!

If you are unsure what version of Python your OctoPrint instance is running under, open the web interface and look into the lower left corner where it will tell you:

This is also covered in the FAQ.

🔒 OctoPrint 1.8.0 fixes some reported security issues, update ASAP!

While OctoPrint 1.8.0rc5 was undergoing testing, three security vulnerabilities were disclosed to me. These issues are fixed in the stable release of 1.8.0. Since these vulnerabilities are of low concern for instances that are not publicly exposed on the internet or other hostile networks, as strongly recommended, the fixes will not be backported to OctoPrint 1.7.x and thus instances still under Python 2.

Please update your OctoPrint instance to the latest stable version of OctoPrint 1.8.0 as soon as possible.

🧩 Heads-ups for plugin authors

♻ Changes

🔒 Security fixes

• CVE-2022-1430 - Fixed a Cross Site Scripting vulnerability in the login dialog. An attacker could send a login URL with a specially crafted redirect parameter to an instance admin that if used to login would allow the attacker to steal the "remember me" cookie. This could have then be used to gain access to the OctoPrint instance with the victim's credentials, if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). Thanks to "rajbabai8" for reporting and disclosing this reponsibly.
• CVE-2022-1432 - Fixed a Cross Site Scripting vulnerability in the webcam stream URL test. An attacker could talk an instance administrator into inserting a specially crafted HTML/JS snippet into the webcam settings and then ask them to click "test", making the JS code run and potentially steal the remember me token. This could have then been used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). Thanks to "rajbabai8" for reporting and disclosing this reponsibly.
• Fixed an open redirect vulnerability in the login dialog. An attacker could send a login URL with a redirect parameter pointing to an external page under their control to an instance admin that if used to login would redirect this URL, allowing the attacker to start a phishing attack. This is not directly exploitable by the attacker, but after a successful phishing attack and thus obtained credentials could be used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). Thanks to "rajbabai8" for reporting and disclosing this reponsibly.
• Fixed a Cross Site Scripting vulnerability in the login dialog regarding the userId parameter. It is currently unconfirmed if this could have been used for an attack.
• Set the "remember me" cookie to http only. This prevents an attacker from accessing the cookie via JavaScript, e.g. in the context of Cross Site Scripting attacks.

✨ Features & improvements

• #3261 - The temperature tab now has (optional) event markers for when a print gets started, paused, resumed, cancelled or finishes. (PR #4382)
• #3491 - Added new events FileMoved and FolderMoved, see the documentation for details on payload. (PR #4405)
• #3589 - Software Update: You may now enqueue software updates while a print is ongoing. They will then be started (after a short countdown) after successful completion of the print, or manually if you cancelled the print. You can manage the queue during the print to remove items you don't want enqueued after all, or add additional items to it as well. (PR #4364)
• #3868 - Optionally remember (and restore) the last opened folder in the files list in the browser if enabled in the features. (PR #4291)
• #4179 - Gcode Viewer: Every fifth grid line (= every 5cm) will now be drawn slightly thicker to allow for easier counting and mapping of physical location. (PR #4287)
• #4186 (PR) - Added support for changing order in which plugin hooks & implementation callbacks are called by OctoPrint.
• #4218 - Gcode Viewer: Prevent mouse wheel from scrolling entire page and panning the canvas. (PR #4274)
• #4221 (PR) - Improved performance of serial device lookup.
• #4222 (PR) - Improved performance of all yaml operations by using the C based loader when possible.
• #4223 (PR) - Added a ripgrep ignore file.
• #4225 (PR) - Added a first version for embedding WebRTC based webcams. Please note that this should be considered beta and is still subject to change while further work and research is being done on the backend side of things.
• #4227 - Added a help message that reminds users that username and password are case sensitive. (PR #4246).
• #4228 - Switch the code to use utf-8-sig encoding instead of bom_aware_open and deprecated bom_aware_open. It will be removed in 2.0.0.
• #4230 (PR) - Improved settings processing performance by optimizing deep_dict a...

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

✋ Heads-up

All of the heads-ups of 1.8.0rc1 apply.

Heads-up for plugin authors: Settings._config is read-only!

If your plugin code has been using Settings._config to modify what gets stored in config.yaml, this will no longer work. It never was a supported method, however it did work due to how things were implemented internally. Implementation has changed now so that any code doing this will no longer work - the nested dictionary returned by the Settings._config is only a copy of the internal data structure and thus any modifications will be dropped silently. A deprecation warning has been added just in case. Use the provided set and remove methods on the settings object instead please.

✨ Improvements

• Harden against wonky firmware temperature responses that might lead to hotend or bed temperature values to be overwritten with something else by only ever using the first value for a sensor key seen in the response.

🐛 Bug fixes

• #4486 (regression) - Fix changing of folder paths via the settings.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this release candidate and provided full, analyzable bug reports!

🔗 More information

• Commits

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

✋ Heads-up

All of the heads-ups of 1.8.0rc1 apply.

🐛 Bug fixes

• #4479 (regression) - Further harden new settings structure against invalid data structures from third party plugins.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this release candidate and provided full, analyzable bug reports!

🔗 More information

• Commits

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

✋ Heads-up

All of the heads-ups of 1.8.0rc1 apply.

✨ Improvements

• Update version requirement for PiSupport plugin to latest release

🐛 Bug fixes

• #4463 (regression) - GCode Viewer: Fix viewer not showing the last layer.
• Fixed a potential race condition that could cause an Internal Server Error on initial page load (self-fixing on the next reload though). Likely a regression caused by the changes to the webassets cache handling.
• Work around a compatibility issue between latest werkzeug and flask-login releases by pinning werkzeug to 2.0.x.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this release candidate and provided full, analyzable bug reports!

🔗 More information

• Commits