New release: 1.10.3

This release was made possible only through continued financial support by people like you!
Click here if you enjoy OctoPrint and want to help with its funding!

This third security & bugfix release for 1.10.x fixes some security vulnerabilities and bugs reported since the release of 1.10.2:

🔒 Security fixes

• Severity Moderate (5.5): OctoPrint versions up until and including 1.10.2 are vulnerable to reflected XSS vulnerabilities through its Jinja2 template system, as this is not configured to enforce automatic escaping. This affects, among other places, the login dialog and the standalone application key confirmation dialog.

  An attacker who successfully talked a victim into clicking on or through a malicious third party app successfully redirected a victim to a specially crafted link could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way.

  The above mentioned specific vulnerabilities of the login dialog and the standalone application key confirmation dialog have been fixed in 1.10.3 by individual escaping of the detected locations. A global change throughout all of OctoPrint’s templating system with the upcoming 1.11.0 release will handle this further, switching to globally enforced automatic escaping and thus reducing the attack surface in general.

  The latter will also improve the security of third party plugins. During a transition period, third party plugins will be able to opt into the automatic escaping. With OctoPrint 1.13.0, automatic escaping will be switched over to be enforced even for third party plugins, unless they explicitly opt-out.

  See also the GitHub Security Advisory and CVE-2024-49377.

• Severity Moderate (5.3): OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim’s OctoPrint browser session to retrieve/recreate/delete the user’s or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account’s password.

  An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted.

  See also the GitHub Security Advisory and CVE-2024-51493.

Minor security fixes

• Core, PR#5070: Use secrets lib to generate Flask secret key, API keys and user session IDs.

• Discovery Plugin: Removed version number from discovery.xml of SSDP discovery. Combats information leakage.

• GCODE Viewer Plugin: Limited access to skip_until check API to available GCODE_VIEWER and FILES_DOWNLOAD permissions. Combats information leakage.

🐛 Bug fixes

Core

• #5036: Fixed a typo where the config setting server.reverseProxy.trustedUpstream was used instead of server.reverseProxy.trustedDownstream. Also made the SockJS trusted proxy check align with that of Flask & Tornado.
• #5049: Fixed file list cache being created before all extension tree providing plugins have had a chance to act.

Plugin Manager

• #5057: Fixed dequeuing of plugin installs. See also PR#5061.

You can also take a look at the changelog on GitHub.

Like every single release (and release candidate) of OctoPrint ever since early 2016 this release was made possible only through continued financial support by people like you! 💕

Click here if you enjoy OctoPrint and want to help with its funding!

Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

Also make sure to check any of the heads-ups or plugin incompatibilities listed below.

Heads-ups

The heads-ups from 1.10.0 still apply, please read them carefully, they might impact you and how you use OctoPrint! Also see the Further Information and Links below for more information, where to find help and how to roll back.

The following heads-ups from earlier releases also still apply:

• 1.10.1

Thanks

Thanks to everyone who contributed to this bugfix release and provided full, analyzable bug reports, suggestions, feedback and - of course - funding!

A special Thank You! to these 2 fine people for their PRs!

@jacopotediosi

@jneilliii

Also another Thank you! to Jacopo Tediosi for the responsible disclosure of vulnerabilities fixed in this release.

Further Information

If connected to the internet, OctoPrint will allow you to apply this update automatically via an update notification. It may take up to 24h for this notification to pop up, so don't be alarmed if it doesn't show up immediately after reading this. You can force the update however via Settings > Software Update > Advanced options > Force check for update.

If your update fails chances are high you are running into one of the common update issues listed with fixes here, so please go through that FAQ entry first.

If you have any problems with your OctoPrint installation, please seek support on the community forum.

Links

• Changelog and Release Notes
• FAQ entry "My OctoPrint update fails" (Read in case of any update problems!)
• Community forum
• Discord Server
• FAQ
• Documentation
• Contribution Guidelines (also relevant for creating bug reports!)
• How to file a bug report
• How to roll back to an earlier release (OctoPi)
• How to roll back to an earlier release (manual install)