✋ Heads-ups

The heads-ups from 1.10.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

The same applies to the heads-up from 1.10.1.

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

🔒 Security fixes

• Severity Moderate (5.5): OctoPrint versions up until and including 1.10.2 are vulnerable to reflected XSS vulnerabilities through its Jinja2 template system, as this is not configured to enforce automatic escaping. This affects, among other places, the login dialog and the standalone application key confirmation dialog.

  An attacker who successfully talked a victim into clicking on or through a malicious third party app successfully redirected a victim to a specially crafted link could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way.

  The above mentioned specific vulnerabilities of the login dialog and the standalone application key confirmation dialog have been fixed in 1.10.3 by individual escaping of the detected locations. A global change throughout all of OctoPrint's templating system with the upcoming 1.11.0 release will handle this further, switching to globally enforced automatic escaping and thus reducing the attack surface in general.

  The latter will also improve the security of third party plugins. During a transition period, third party plugins will be able to opt into the automatic escaping. With OctoPrint 1.13.0, automatic escaping will be switched over to be enforced even for third party plugins, unless they explicitly opt-out.

  See also the GitHub Security Advisory and CVE-2024-49377.

• Severity Moderate (5.3): OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password.

  An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted.

  See also the GitHub Security Advisory and CVE-2024-51493.

Minor Security fixes

• Core, PR#5070: Use secrets lib to generate Flask secret key, API keys and user session IDs.

• Discovery Plugin: Removed version number from discovery.xml of SSDP discovery. Combats information leakage.

• GCODE Viewer Plugin: Limited access to skip_until check API to available GCODE_VIEWER and FILES_DOWNLOAD permissions. Combats information leakage.

🐛 Bug fixes

Core

• #5036: Fixed a typo where the config setting server.reverseProxy.trustedUpstream was used instead of server.reverseProxy.trustedDownstream. Also made the SockJS trusted proxy check align with that of Flask & Tornado.
• #5049: Fixed file list cache being created before all extension tree providing plugins have had a chance to act.

Plugin Manager

• #5057: Fixed dequeuing of plugin installs. See also PR#5061.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release, especially to @jneilliii and @jacopotediosi for their PRs!

Also a big thank you to @jacopotediosi for responsibly disclosing the security vulnerabilities fixed in this release.

🔗 More information

• Commits
• Release candidates:
  • As this is a bugfix release, there were no release candidates