Aug 092022
✋ Heads-ups
The heads-ups from 1.8.0 still apply, please read this release’s release notes as well for a full picture of what you should be aware of and what changed!
⛈ Issues while updating?
On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.
♻ Changes
🔒 Security fixes
- Fixed a cross-site scripting vulnerability in the user and group managers. An attacker could talk an admin into creating a user or group with a specially crafted name containing executable HTML/JS, and then into deleting those again, triggering the cross-site scripting issue in the deletion confirmation dialog. A stealing of credentials through this should not have been possible under 1.8.0, however in versions before 1.8.0 the stealing of the „remember me“ token would have been possible through this attack vector. This could have then been used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project’s recommendations). Thanks to Akshay Ravi for reporting and disclosing this reponsibly.
🐛 Bug fixes
- #4516 – Fix a redirect loop on the login dialog if the Guests group was assigned the Read-Only group as a subgroup.
- Gracefully handle errors scanning
/devfor serial ports. Solves an issue with Octo4a on some Android devices.
🎉 Special thanks to all the contributors!
Special thanks to everyone who contributed to this bugfix release!
Also a big thank you to User avatar Akshay Ravi for responsibly disclosing the security vulnerability that was fixed in this release.
🔗 More information
- Commits
- As this is a bugfix release, there were no release candidates