This first bugfix & security release for 1.8.0 fixes two bugs and closes one (minor) security vulnerability:

🔒 Security fixes

  • Fixed a cross-site scripting vulnerability in the user and group managers. An attacker could talk an admin into creating a user or group with a specially crafted name containing executable HTML/JS, and then into deleting those again, triggering the cross-site scripting issue in the deletion confirmation dialog. A stealing of credentials through this should not have been possible under 1.8.0, however in versions before 1.8.0 the stealing of the “remember me” token would have been possible through this attack vector. This could have then been used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project’s recommendations). Thanks to Akshay Ravi for reporting and disclosing this reponsibly.

🐛 Bug fixes

  • #4516 - Fix a redirect loop on the login dialog if the Guests group was assigned the Read-Only group as a subgroup.
  • Gracefully handle errors scanning /dev for serial ports. Solves an issue with Octo4a on some Android devices.

You can also take a look at the extremely short changelog on GitHub.

Like every single release (and release candidate) of OctoPrint ever since early 2016 this release was made possible only through your continued support of my work 💕

Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

Heads-ups

The heads-ups from 1.8.1 still apply, please read them carefully, they might impact you and how you use OctoPrint! Also see the Further Information and Links below for more information, where to find help and how to roll back.

Thanks

Thanks to everyone who contributed to this bugfix release and provided full, analyzable bug reports, suggestions and feedback!

Further Information

If connected to the internet, OctoPrint will allow you to apply this update automatically via an update notification. It may take up to 24h for this notification to pop up, so don't be alarmed if it doesn't show up immediately after reading this. You can force the update however via Settings > Software Update > Advanced options > Force check for update.

If your update fails chances are high you are running into one of the common update issues listed with fixes here, so please go through that FAQ entry first.

If you have any problems with your OctoPrint installation, please seek support on the community forum.

Discuss!