New release candidate: 1.10.0rc3

This third release candidate for the upcoming 1.10.0 release includes one fix for a reported security issue, fixes some regressions that were reported with the first one, and also adds some improvements surrounding newly added functionality:

🔒 Security fixes

• Severity Moderate (4.0): It was possible for a malicious admin to configure or to talk a victim with admin rights into configuring a webcam snapshot URL which when tested through the “Test” button included in the web interface would execute JavaScript code in the victim’s browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way.

  This has now been fixed by properly sanitizing the data received from the snapshot URL.

  See also the GitHub Security Advisory and CVE-2024-28237.

✨ Features & improvements

Core

• #4957: Bump websocket-client dependency to version 1.6.1, after verifying that it should still work with Python 3.7 in this version, to enable third party plugins to use bug fixes included in that version.
• PR#4964: Harden the filename sanitization in the download_file function against possible path traversal issue in future use cases.
• Use aria-label and role instead of sr-only headings, resolving issues with the UI Customizer Plugin or other heavy CSS manipulation.
• Use a reload popup instead of a blocking overlay modal on UI plugin and/or settings change. That should reduce the annoyance of the reload overlay popping up due to settings updates in the background. It should also help with the reload prompts sometimes observed during the newly introduced reauthentication workflow.

🐛 Bug fixes

Core

• #4966 (regression): Fix handling of the reauthentication workflow for external users created & logged in from a configured header.
• #4969 (regression): Fix the final page of the firstrun wizard interfering with the completion of arbitrary wizards from plugins, when not even shown.
• Properly reflect that users logged in from a configured header can’t log out through the logout button but rather must log out by closing the browser.

Action Command Notification Plugin

• #4967 (regression): Fix the filter logic so that an empty filter regex won’t lead to all notifications to be filtered out.

For heads-ups, highlights and fancy pictures, please see the earlier post about 1.10.0rc1.

You can find the full changelog and release notes as usual on GitHub.

Special thanks to everyone who contributed to this release candidate and provided full, analyzable bug reports, you help making the next release as stable as possible!

A special Thank You! to this fine person for their PRs, and an extra warm welcome to our one first-time contributor! 🎉

@jacopotediosi

As the past RCs have shown me that a lot of people appear to be unaware of this: Please do not install this RC if you expect a fully stable version. It is not a stable release, it is a release candidate: severe bugs may occur, and they might be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should feel comfortable with and capable of possibly having to do this before installing an RC.

If you want to and can help test this release candidate, you can find information on how to switch to the "Maintenance RCs" release channel in this guide if not already done (also linked below).

Please provide feedback on this RC. For general feedback you can use this ticket on the tracker. The information that everything works fine for you is also valuable feedback 😄. For bug reports please follow How to file a bug report - I need logs and reproduction steps to fix issues, not just the information that something doesn't work so make sure to fill out all fields of the issue template.

While testing the release candidate, please take a closer look at these things:

• Proper behaviour when using the included web interface as well as any third party clients at your disposal.

• User and group management functioning as expected.

• Plugin installation functioning as expected.

• Application key management functioning as expected. Authentication workflow with third party clients at your disposal (e.g. slicers) works as it should.

• Backup creation, download and restore functioning as expected.

Thanks!

Depending on the feedback regarding this version I'll look into fixing any observed regressions and bugs and pushing out a follow-up version as soon as possible and necessary.

Links

• Ticket for general feedback
• Changelog and Release Notes
• FAQ entry "My OctoPrint update fails" (Read in case of any update problems!)
• How to use release channels to help test release candidate
• How to file a bug report
• Contribution Guidelines (also relevant for creating bug reports!)
• FAQ
• Documentation
• How to roll back to an earlier release (OctoPi)
• How to roll back to an earlier release (manual install)