1.10.0
✋ Heads-ups
🔒 You will now be expected to re-enter your password on critical operations
This version of OctoPrint requires you to reauthenticate with your password every five minutes on various critical operations you might do on your installation, e.g. adding, changing and deleting users, adding, changing and deleting groups, installing plugins, revealing the deprecated global API key, generating, revoking, revealing and granting application keys, accessing the recovery page and downloading or restoring backups. This change matches best practices with regards to security of web applications and was done in order to protect you from various potential attack vectors.
If you do not want this reauthentication requirement, you can find information on how to disable it in the configuration docs. Be aware though that by doing so you'll negatively impact your installation's security!
☝️ Slow update if your Pi is still running pip <= 20.3 (e.g. as shipped on early OctoPi 0.18 preview versions)
During the release candidate phase we found that if your OctoPrint installation still is using a pip
version below 20.3, updating to this version will take slightly longer than usual due to having to compile a third party dependency that got updated (zeroconf
), as these ancient pip
versions are not fetching the precompiled version from piwheels in this scenario. If you are affected, plan ahead accordingly and allow some time for the update or alternatively update pip (you can do that via the Software Update plugin's settings). Most of you however should not be affected by this at all. If you are not running a prerelease version of OctoPi 0.18.0 (the stable release of 0.18.0 is fine!), you are likely not affected by this.
⛈ Issues while updating?
On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.
♻ Changes
🔒 Security fixes
-
Severity Moderate (4.2): It was possible for admins to perform password changes for their own account or others via the Settings dialog without having to re-enter their password. A malicious administrator or an attacker having taken over an administrator's session could have used this to effectively lock out users from their accounts.
This has now been fixed by introducing a reauthentication requirement on changing passwords in the Settings. Unless the user has authenticated with their password (and other credentials possibly in the future) in the past 5min of their login session, a reauthentication dialog to re-enter the credentials will be shown, and only after that has done properly will the request work. This reauthentication dialog has also been added to other critical operations (adding, changing and deleting users, adding, changing and deleting groups, installing plugins, revealing the deprecated global API key, generating, revoking, revealing and granting application keys, accessing the recovery page). The reauthentication timeout of 5min is configurable via
config.yaml
, see the documentation.See also the GitHub Security Advisory and CVE-2024-23637.
-
Severity Moderate (4.0): It was possible for a malicious admin to configure or to talk a victim with admin rights into configuring a webcam snapshot URL which when tested through the "Test" button included in the web interface would execute JavaScript code in the victim's browser when attempting to render the snapshot image. An attacker who successfully talked a victim with admin rights into performing a snapshot test with such a crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way.
This has now been fixed by properly sanitizing the data received from the snapshot URL.
See also the GitHub Security Advisory and CVE-2024-28237.
✨ Features & improvements
Core
- #4586: Added the capability report of the firmware as returned from
M115
tooctoprint.log
and also the systeminfo bundle in shape of a newm115.txt
file that gets generated if the bundle gets created while there's an active printer connection. - #4617: Added a manual refresh button to the webcam view that allows to reload the underlying webcam stream (if webcam plugin supports that by having implemented
onWebcamRefresh
in its viewmodel, otherwise the button will be a no-op). Only gets made visible when hovering over the webcam. - #4681: Added information on old and new file to the "file already exists dialog". See also PR#4721.
- #4685: Implemented a custom versioning tool to replace the so far used customized version of
versioneer
that has gotten quite long in the tooth. It should behave the same, but with way less code to keep maintained. - #4714: Added a new dialog that gets displayed when the printer reports an unrecoverable error, containing the error message, what happened due to that error (print cancellation, disconnect), if available a link to an FAQ entry, the last lines of communication and a big reminder that printer errors are printer errors and not OctoPrint's fault. The dialog will be automatically opened on connected clients, however it can also be accessed later by clicking on the new error icon added to the printer state panel.
- #4747: Made temperature graph time axis always show the configured cutoff interval. That should prevent any jumping of events.
- #4760: Made OctoPrint compatible to Python 3.12.
- #4764: Refactored the Tornado/WSGI interface based on the current Tornado code to make it async. That fixed the issue with connection reuse and as a very welcome side effect also very much increased the performance of the internal web server in general. Long running Flask endpoints now should no longer be able to fully block Tornado, and requests can get parallelized by the frontend, leading to a large reduction of time needed to fully load the UI.
- #4838: Improved performance of the internal settings data structure, reducing the initial settings fetch right after a server start from 2s+ to 400-700ms.
- #4843: Made the upload drop zone an optional feature that can be disabled in the settings. See also PR#4853.
- #4866: Added axis labels to model size info. See also PR#4898.
- #4880: Removed
scripts
folder from repo. - #4881: Display an error popup in case of startup issues due to inaccessible application directories.
- #4892: Keep tool change controls enabled while printing.
- #4921: Added graph markers for the
Connected
andDisconnected
events to the temperature graph. - PR#4743: Migrate from
netifaces
to the pretty much drop-in replacementnetifaces2
, since the former has been abandoned. - PR#4752: Send initial history message when the web socket subscription is changed.
- PR#4820: Added file and print head position to paused and cancel event & log entries.
- PR#4833: Improved first run wizard safety hints. They are now visually more alerting and the wizard now also requires the user to acknowledge having read and understood each warning by checking a checkbox.
- PR#4874: Added new
Thermal Malfunction
error to recognized as a kill inducing error on Marlin. - PR#4899: Removed the upper version pin for the
argon2-cffi
dependency. - PR#4918: Made target temperature lines in the temperature graph dashed. Improves accessibility for color blind users.
- PR#4928: Further improve screen reader accessibility.
- Use a file
<basefolder>/.incomplete_startup
to flag an incomplete startup instead of aconfig.yaml
entry. Makes it easier to reconfigure the server in CI situations. - Improved the UX of the systeminfo CLI.
octoprint systeminfo
will now generate a bundle in the current directory even without an explicitly added.
parameter.octoprint systeminfo --short
has been added to generated an abridged version directly on the command line. This should clear up issues we saw in the past where people forgot the.
and then just pasted the abridged text only version when in fact a bundle was needed and requested. - Added
progress
toPrintFailed
,PrintCancelled
andPrintPaused
events. - Added
operation
toFileRemoved
event. Allows distinguishing between a removal due to an actualremove
or amove
. - Added a funding banner to the About dialog and a funding link to the footer.
Achievement Plugin (✨ New!)
Added a new bundled Achievements plugin! OctoPrint will now internally record some instance stats and monitor some events and based on that give out various achievements. This version contains 36 achievements, 22 of which are hidden and for you to be discovered. Additionally, the instance stats are also being recorded per year to make it possible in the future to give you some yearly stats overview of your OctoPrint and printing use.
Unlocked achievements are also tracked via the Anonymous Usage Tracking. Of course, this can be disabled, and if you have not opted into tracking in the first place, nothing will be tracked, as always. Achievement stats are available on data.octoprint.org.
The goal of these achievements is not to gamify OctoPrint, but rather to give you something fun while also making it more visible how this project is funded and how you can help. If you are not interested in achievements, just disable the bundled Achievements plugin via the plugin manager.
Action Command Notification Plugin
- #4326: Added ability to ignore incoming printer notifications based on a filter regex. This is to combat notification spam by firmwares which abuse the feature. Please talk to your firmware provider about not abusing the notification action command for things triggered by the user, e.g. mirroring
M117
commands! See also PR#4886.
Application Keys Plugin
Classic Webcam Plugin
- #4837: Apply the selected camera aspect ratio to its
video
tag.
Discovery Plugin
- Updated the
zeroconf
dependency.
Event Manager Plugin
Plugin Manager Plugin
- Removed an unused variable.
Software Update Plugin
- #4819: OctoPrint will now be clearly marked as not updateable when running on Windows.
Virtual Printer Plugin
- PR#4799: Added support for generating an area report as part of the response to
M115
. - Made the simulated errors configurable via the settings.
Documentation
- #4787: Added a note to the documentation of the
SettingsPlugin
mixin that updating settings will trigger a reload screen. - #4852: Updated the plugin tutorial to reflect current CLI outputs.
- PR#4823: Slight improvement on the pause GCODE script.
Testing & CI
- #4908: Automatically publish release build artifacts on GitHub Releases as well as PyPI. Also automatically publish source tarball.
- Updated the
node-qunit-puppeteer
version to combat some JS unit test flakyness. - Run the E2E tests against the lowest and highest supported Python version, to make sure things work on both edge cases.
- Updated
playwright
used for the E2E tests.
Improvements done during the release candidate phase
- Core
- #4957: Bump
websocket-client
dependency to version 1.6.1, after verifying that it should still work with Python 3.7 in this version, to enable third party plugins to use bug fixes included in that version. - PR#4964: Harden the filename sanitization in the
download_file
function against possible path traversal issue in future use cases. - Use
aria-label
androle
instead ofsr-only
headings, resolving issues with the UI Customizer Plugin or other heavy CSS manipulation. - Use a reload popup instead of a blocking overlay modal on UI plugin and/or settings change. That should reduce the annoyance of the reload overlay popping up due to settings updates in the background. It should also help with the reload prompts sometimes observed during the newly introduced reauthentication workflow.
- Improve JS error reporting in Firefox.
- #4957: Bump
- Backup Plugin
- Require credential recheck for download & restore.
- Testing & CI
- #4908: Also automatically publish a source tarball upon release.
- Fix a potential race condition that might have caused some build errors recently.
🐛 Bug fixes
Core
- #4719: Normalize paths in file manager methods and called hooks and events.
- #4753: Fixed an error when attempting to set a custom logging level under certain circumstances.
- #4756: Fixed including variables in GCODE scripts from more than one plugin. See also PR#4757.
- #4769: Fixed a translation error in the included german language files. See also PR#4897.
- PR#4794: Protect against issues when a double slash is contained in the timelapse base folder, leading to not being able to delete timelapses.
- #4800: Fixed folder sorting by date of last print.
- #4808: Fixed wrong initial field set in printer state (
printTimeOrigin
instead of the correctprintTimeLeftOrigin
). - #4812: Fixed
octoprint systeminfo .
- PR#4830: Fixed translateability of the filament usage information in the state panel.
- #4835: Fixed
octoprint get
not properly returning sub trees for plugin settings hierarchies, due to a missing initialization. - #4841: Fixed a broken knockout binding in the GCODE Viewer's size warning dialog, leading to the file name missing. See also PR#4842.
- #4843: Don't trigger the drop zone for uploading files when not dragging files. Fixes issues when accidentally dragging selected text and similar.
- #4867: Fixed a warning about using the old webcam settings access path.
- #4903: Hardened temperature offset code against empty temperature commands and added logging for such cases.
- #4922: Fixed sorting of folder list in "move or rename file" dialog.
- #4929: Fixed a regression in the webcam styles that caused issues with the (abandoned) third party plugin TouchUI. See also PR#4930.
- Keep updating the temperature graph with empty entries even while disconnected, to ensure events shown there properly reflect their point in time from "now".
- Enabled CORS on asset plugins.
- Fixed some warnings in the vendored
awesome-slugify
dependency.
Classic Webcam Plugin
- #4885: Fixed snapshot timeout & SSL validation settings.
Discovery Plugin
- #4814: Join multicast group for SSDP discovery on all available addresses. Fixes issues with discovery on VLAN enabled hosts.
Plugin Manager Plugin
- Properly handle unset plugin versions in plugin notifications from the repository, e.g. when attempting to load notifications for a bundled plugin (which normally shouldn't happen, but turned out to happen during development thanks to an identifier clash).
Software Update Plugin
- Fixed
httpheader
check type. It was not storing its current value properly.
Virtual Printer Plugin
- #4907: Fixed a race condition related to
G4
andwait
.
Documentation
- #4906: Adjusted documentation to reflect correct name for
logsViewModel
dependency. - PR#4815: Updated documentation of
PrinterInterface.set_temperature
to reflect the current implementation. - PR#4868: Removed some repeating words.
- Clarify how to reconfigure log formatters. OctoPrint now either uses
simple
orcolored
formatters for the console log output, this still needed to get properly documented.
Fixes done during the release candidate phase
- Core
- #4939 (regression): Fix drag'n'drop initialization.
- #4940 (regression): Make
octoprint._version
backward compatible enough again to work around use on OctoPi images and third party plugins out there. - #4941 (regression): Fix some syntax under Python 3.7 & 3.8.
- #4942 (regression): Fix handling of setting an empty dict on the configuration. Also added a unit test for this.
- #4943 (regression): Fix fetching of file details for the existence check, preventing the "file already exists" dialog from making the correct checks.
- #4966 (regression): Fix handling of the reauthentication workflow for external users created & logged in from a configured header.
- #4969 (regression): Fix the final page of the firstrun wizard interfering with the completion of arbitrary wizards from plugins, when not even shown.
- #4980: Fix missing temperature history for anything but the first extruder. This was actually not a regression, but the bug only could be seen now after extending the timeline of the temperature graph to the full available history.
- #4983 (regression): Fix prefix caching for custom defaults. Manifested in no longer being able to select release channels in the Software Update plugin.
- #4987 (regression): Fix creation of the static version file during installation of sdist under Windows.
- Removed a left-over from the Access Control settings panel.
- Properly reflect that users logged in from a configured header can't log out through the logout button but rather must log out by closing the browser.
- Achievements Plugin
- #4984: Make the "Mass Production" achievement detect modifications of the file.
- Fix the "Heavy Chonker" achievement.
- Fix the default groups for the achievement permission.
- Action Command Notification Plugin
- #4967 (regression): Fix the filter logic so that an empty filter regex won't lead to all notifications to be filtered out.
- GCODE Viewer
- #4978: Fix reloading of the same file. First thought to be a regression, turned out to not be one but was a low hanging fruit.
🎉 Special thanks to all the contributors!
Special thanks to everyone who contributed to this RC, especially to @0r31, @bigfoxtail, @CMR-DEV, @cociweb, @cperrin88, @credomane, @crysxd, @danielkucera, @dawidpieper, @eumiro, @evanwurden, @hynek, @jatin-47, @jneilliii , @kaenguruhs, @mad73923, @max246, @MichaIng, @mintsoft, @neod123 and @thinkyhead for their PRs!
And an extra shoutout to our 13 first time contributors: @bigfoxtail, @cmd-dev, @cociweb, @cperrin88, @credomane, @danielkucera, @evanwurden, @hynek, @jatin-47, @kaenguruhs, @mad73923, @mintsoft and @neod123! 🎉
Also a big thank you to @tkruppert and @jacopotediosi for responsibly disclosing the security vulnerabilities fixed in this release.
☝️ Known issues
The following issues were discovered in earlier versions, but too late to still be fixed in this version, and are going to get a fix in an upcoming bugfix release.
- #4952: Upload of multiple files is impossible if SD support is disabled. Keep SD support enabled for now if you want to upload more than one file at once via the web UI.
- #4975: Reserved identifiers in the temperature reports from the printer lead to a warning getting logged each time instead of just once, which can increase the log file with broken firmware implementations. Avoid firmware reporting reserved identifiers, e.g. reporting a chamber temperature while also marking a chamber as not available as observed on current Prusa XL firmware builds.
- #4993: A bug in the GCODE analyser implementation can cause the server to get blocked if a lot of files need to get analysed at once during startup or due to a bulk upload. For now it is strongly suggested to limit the amount of freshly added files to a max of 10 at once and/or be aware of the server being very busy for a few minutes after larger numbers of added files.