⚠️ Important note on release candidates
This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.
You should be comfortable with and capable of possibly having to do this before installing an RC.
🔁 Feedback on this RC
Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.
If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.
Thanks!
Things to take a closer look at
For this RC, these things should get a closer look while testing, if possible (things newly added in this follow-up RC marked with 🆕):
- Proper behaviour when using the included web interface as well as any third party clients at your disposal.
- User and group management functioning as expected.
- Plugin installation functioning as expected.
- Application key management functioning as expected. Authentication workflow with third party clients at your disposal (e.g. slicers) works as it should.
- Backup creation, download and restore functioning as expected
🔒 Security fixes
-
Severity Moderate (4.0): It was possible for a malicious admin to configure or to talk a victim with admin rights into configuring a webcam snapshot URL which when tested through the "Test" button included in the web interface would execute JavaScript code in the victim's browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way.
This has now been fixed by properly sanitizing the data received from the snapshot URL.
See also the GitHub Security Advisory and CVE-2024-28237.
✨ Features & improvements
Core
- #4957: Bump
websocket-clientdependency to version 1.6.1, after verifying that it should still work with Python 3.7 in this version, to enable third party plugins to use bug fixes included in that version. - PR#4964: Harden the filename sanitization in the
download_filefunction against possible path traversal issue in future use cases. - Use
aria-labelandroleinstead ofsr-onlyheadings, resolving issues with the UI Customizer Plugin or other heavy CSS manipulation. - Use a reload popup instead of a blocking overlay modal on UI plugin and/or settings change. That should reduce the annoyance of the reload overlay popping up due to settings updates in the background. It should also help with the reload prompts sometimes observed during the newly introduced reauthentication workflow.
🐛 Bug fixes
Core
- #4966 (regression): Fix handling of the reauthentication workflow for external users created & logged in from a configured header.
- #4969 (regression): Fix the final page of the firstrun wizard interfering with the completion of arbitrary wizards from plugins, when not even shown.
- Properly reflect that users logged in from a configured header can't log out through the logout button but rather must log out by closing the browser.
Action Command Notification Plugin
- #4967 (regression): Fix the filter logic so that an empty filter regex won't lead to all notifications to be filtered out.
🎉 Special thanks to all the contributors!
Special thanks to everyone who contributed to this release candidate and provided full, analyzable bug reports, and especially to @jacopotediosi for their PR and the responsible disclosure of the security vulnerability fixed in this release!