1.8.2

✋ Heads-ups

The heads-ups from 1.8.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

🔒 Security fixes

• Fixed an open redirect vulnerability in the login dialog. An attacker could send a login URL with a specially crafted redirect parameter pointing to an external page under their control to an instance admin that if used to login would redirect this URL, allowing the attacker to start a phishing attack. This is not directly exploitable by the attacker, but after a successful phishing attack and thus obtained credentials could be used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). Thanks to "Mizu" for reporting and disclosing this responsibly.

🐛 Bug fixes

• Pinned the Flask dependency to 2.1. The latest release requires a version of werkzeug that we currently cannot upgrade to due to yet another dependency, and there seem to have been cases in the field where users managed to update Flask regardless of the werkzeug version pin in OctoPrint, which caused runtime errors. This has not been successfully reproduced in the development environment, but a version pin here is a sensible precaution.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release!

Also a big thank you to Mizu for responsibly disclosing the security vulnerability that was fixed in this release.

🔗 More information

• Commits
• As this is a bugfix release, there were no release candidates

1.8.1

✋ Heads-ups

The heads-ups from 1.8.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

🔒 Security fixes

• Fixed a cross-site scripting vulnerability in the user and group managers. An attacker could talk an admin into creating a user or group with a specially crafted name containing executable HTML/JS, and then into deleting those again, triggering the cross-site scripting issue in the deletion confirmation dialog. A stealing of credentials through this should not have been possible under 1.8.0, however in versions before 1.8.0 the stealing of the "remember me" token would have been possible through this attack vector. This could have then been used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). Thanks to Akshay Ravi for reporting and disclosing this reponsibly.

🐛 Bug fixes

• #4516 - Fix a redirect loop on the login dialog if the Guests group was assigned the Read-Only group as a subgroup.
• Gracefully handle errors scanning /dev for serial ports. Solves an issue with Octo4a on some Android devices.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release!

Also a big thank you to User avatar Akshay Ravi for responsibly disclosing the security vulnerability that was fixed in this release.

🔗 More information

• Commits
• As this is a bugfix release, there were no release candidates

1.8.0

✋ Heads-ups

💥 OctoPrint 1.8.0 drops Python 2 support!

As previously announced on the OctoBlog and in OctoPrint On Air #43, OctoPrint 1.8.0 drops Python 2 support. In order to be able to install/update to it, you need to be running OctoPrint under Python 3 already, e.g. as shipped on OctoPi 0.18.0. Installing on Python 2 will fail. The Software Updater will also be redirected to a new OctoPrint Legacy repository for checking for OctoPrint updates if it detects that you are still running Python 2. As outlined in the blog post and the vlog, there are no more updates for OctoPrint 1.7/Python 2 planned. Update now or you will be left behind, including for most security fixes!

If you are unsure what version of Python your OctoPrint instance is running under, open the web interface and look into the lower left corner where it will tell you:

This is also covered in the FAQ.

🔒 OctoPrint 1.8.0 fixes some reported security issues, update ASAP!

While OctoPrint 1.8.0rc5 was undergoing testing, three security vulnerabilities were disclosed to me. These issues are fixed in the stable release of 1.8.0. Since these vulnerabilities are of low concern for instances that are not publicly exposed on the internet or other hostile networks, as strongly recommended, the fixes will not be backported to OctoPrint 1.7.x and thus instances still under Python 2.

Please update your OctoPrint instance to the latest stable version of OctoPrint 1.8.0 as soon as possible.

🧩 Heads-ups for plugin authors

Click to expand.

🧩 Importing Jinja2 templates from another plugin without an explicit prefix is now deprecated!

OctoPrint so far allowed (erroneously) to replace plugin templates of the same name in another plugin, depending on loading order. Fixing this required to create prefixes for templates of plugins. Relative imports (think {% include "snippets/my_snippet.jinja2" %}) will now attempt to resolve against the current plugin. If that isn't possible, for now it will also be attempted to resolve globally against all registered templates and if a match is found, a deprecation will be logged. The latter behaviour will be removed in a future version of OctoPrint and if your plugin includes templates from other plugins you should now change it to using plugin prefixes if running on OctoPrint 1.8.0 or higher. Plugin prefixes are plugin_<plugin identifier>/, so for example, to include the settings pane of the bundled software update plugin, you'd now need to use plugin_softwareupdate/plugin_softwareupdate_settings.jinja2.

🧩 octoprint.util.bom_aware_open is now deprecated and will be removed in 2.0.0

If your code uses bom_aware_open, you should replace its use with the regular open with utf-8-sig encoding instead (or io.open in py2/3 compatibility mode).

🧩 octoprint.util.commandline.clean_ansi will no longer accept bytes in 2.0.0

If your code uses clean_ansi somewhere, make sure you supply it with str (formerly known as unicode) instead of bytes objects.

🧩 Settings._config is read-only!

If your plugin code has been using Settings._config to modify what gets stored in config.yaml, this will no longer work. It never was a supported method, however it did work due to how things were implemented internally. Implementation has changed now so that any code doing this will no longer work - the nested dictionary returned by the Settings._config is only a copy of the internal data structure and thus any modifications will be dropped silently. A deprecation warning has been added just in case. Use the provided set and remove methods on the settings object instead please.

♻ Changes

🔒 Security fixes

• CVE-2022-1430 - Fixed a Cross Site Scripting vulnerability in the login dialog. An attacker could send a login URL with a specially crafted redirect parameter to an instance admin that if used to login would allow the attacker to steal the "remember me" cookie. This could have then be used to gain access to the OctoPrint instance with the victim's credentials, if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). Thanks to "rajbabai8" for reporting and disclosing this reponsibly.
• CVE-2022-1432 - Fixed a Cross Site Scripting vulnerability in the webcam stream URL test. An attacker could talk an instance administrator into inserting a specially crafted HTML/JS snippet into the webcam settings and then ask them to click "test", making the JS code run and potentially steal the remember me token. This could have then been used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). Thanks to "rajbabai8" for reporting and disclosing this reponsibly.
• Fixed an open redirect vulnerability in the login dialog. An attacker could send a login URL with a redirect parameter pointing to an external page under their control to an instance admin that if used to login would redirect this URL, allowing the attacker to start a phishing attack. This is not directly exploitable by the attacker, but after a successful phishing attack and thus obtained credentials could be used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). Thanks to "rajbabai8" for reporting and disclosing this reponsibly.
• Fixed a Cross Site Scripting vulnerability in the login dialog regarding the userId parameter. It is currently unconfirmed if this could have been used for an attack.
• Set the "remember me" cookie to http only. This prevents an attacker from accessing the cookie via JavaScript, e.g. in the context of Cross Site Scripting attacks.

✨ Features & improvements

• #3261 - The temperature tab now has (optional) event markers for when a print gets started, paused, resumed, cancelled or finishes. (PR #4382)
• #3491 - Added new events FileMoved and FolderMoved, see the documentation for details on payload. (PR #4405)
• #3589 - Software Update: You may now enqueue software updates while a print is ongoing. They will then be started (after a short countdown) after successful completion of the print, or manually if you cancelled the print. You can manage the queue during the print to remove items you don't want enqueued after all, or add additional items to it as well. (PR #4364)
• #3868 - Optionally remember (and restore) the last opened folder in the files list in the browser if enabled in the features. (PR #4291)
• #4179 - Gcode Viewer: Every fifth grid line (= every 5cm) will now be drawn slightly thicker to allow for easier counting and mapping of physical location. (PR #4287)
• #4186 (PR) - Added support for changing order in which plugin hooks & implementation callbacks are called by OctoPrint.
• #4218 - Gcode Viewer: Prevent mouse wheel from scrolling entire page and panning the canvas. (PR #4274)
• #4221 (PR) - Improved performance of serial device lookup.
• #4222 (PR) - Improved performance of all yaml operations by using the C based loader when possible.
• #4223 (PR) - Added a ripgrep ignore file.
• #4225 (PR) - Added a first version for embedding WebRTC based webcams. Please note that this should be considered beta and is still subject to change while further work and research is being done on the backend side of things.
• #4227 - Added a help message that reminds users that username and password are case sensitive. (PR #4246).
• #4228 - Switch the code to use utf-8-sig encoding instead of bom_aware_open and deprecated bom_aware_open. It will be removed in 2.0.0.
• #4230 (PR) - Improved settings processing performance by optimizing deep_dict a...

1.8.0rc5 (release candidate)

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

✋ Heads-up

All of the heads-ups of 1.8.0rc1 apply.

Heads-up for plugin authors: Settings._config is read-only!

If your plugin code has been using Settings._config to modify what gets stored in config.yaml, this will no longer work. It never was a supported method, however it did work due to how things were implemented internally. Implementation has changed now so that any code doing this will no longer work - the nested dictionary returned by the Settings._config is only a copy of the internal data structure and thus any modifications will be dropped silently. A deprecation warning has been added just in case. Use the provided set and remove methods on the settings object instead please.

✨ Improvements

• Harden against wonky firmware temperature responses that might lead to hotend or bed temperature values to be overwritten with something else by only ever using the first value for a sensor key seen in the response.

🐛 Bug fixes

• #4486 (regression) - Fix changing of folder paths via the settings.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this release candidate and provided full, analyzable bug reports!

🔗 More information

• Commits

1.8.0rc4 (release candidate)

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

✋ Heads-up

All of the heads-ups of 1.8.0rc1 apply.

🐛 Bug fixes

• #4479 (regression) - Further harden new settings structure against invalid data structures from third party plugins.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this release candidate and provided full, analyzable bug reports!

🔗 More information

• Commits

1.8.0rc3 (release candidate)

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

✋ Heads-up

All of the heads-ups of 1.8.0rc1 apply.

✨ Improvements

• Update version requirement for PiSupport plugin to latest release

🐛 Bug fixes

• #4463 (regression) - GCode Viewer: Fix viewer not showing the last layer.
• Fixed a potential race condition that could cause an Internal Server Error on initial page load (self-fixing on the next reload though). Likely a regression caused by the changes to the webassets cache handling.
• Work around a compatibility issue between latest werkzeug and flask-login releases by pinning werkzeug to 2.0.x.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this release candidate and provided full, analyzable bug reports!

🔗 More information

• Commits

1.8.0rc2 (release candidate)

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

✋ Heads-up

All of the heads-ups of 1.8.0rc1 apply.

✨ Improvements

• #4460 - Expose new config flag serial.ignoreEmptyPorts to ignore empty serial ports and maintain pre 1.8.0 default behaviour regarding the handling of the situation on the UI as well (see Serial Connection > General > Connection > Advanced Options > Ignore empty ports).
• Application Keys: Add docs for new auth dialog work flow.

🐛 Bug fixes

• #4453 (regression) - Improve resilience against broken plugin template configs.
• #4454 (regression) - Fix a fatal error in the refactored settings hierarchy upon encountering an int key.
• #4456 (regression) - Fix a serial loop crash when encountering a custom temperature entry (or garbage that looks like one) that matches the too broadly defined reserved identifier regex.
• #4458 (regression) - Fix retrieval of full dict structures from the settings for which an empty default exists.
• #4459 (regression) - GCode Viewer: Fix transmission of parsed layer data structure from the worker to the main thread.
• Add some missing less 4 compatibility fixes
• Fix version requirement of PiSupport plugin

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this release candidate and provided full, analyzable bug reports!

🔗 More information

• Commits

1.8.0rc1 (release candidate)

⚠️ Important note on release candidates

This is a Release Candidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide general feedback on this RC in this ticket. An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

If you run into any obvious bugs, please follow "How to file a bug report" - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

✋💥 Heads-up: OctoPrint 1.8.0 drops Python 2 support!

As previously announced on the OctoBlog and in OctoPrint On Air #43, OctoPrint 1.8.0 drops Python 2 support. In order to be able to install/update to it, you need to be running OctoPrint under Python 3 already, e.g. as shipped on OctoPi 0.18.0. Installing on Python 2 will fail. The Software Updater will also be redirected to a new OctoPrint Legacy repository for checking for OctoPrint updates if it detects that you are still running Python 2. As outlined in the blog post and the vlog, there are no more updates for OctoPrint 1.7/Python 2 planned. Update now or you will be left behind.

If you are unsure what version of Python your OctoPrint instance is running under, open the web interface and look into the lower left corner where it will tell you:

This is also covered in the FAQ.

✋🧩 Heads-up for plugin authors: Importing Jinja2 templates from another plugin without an explicit prefix is now deprecated!

OctoPrint so far allowed (erroneously) to replace plugin templates of the same name in another plugin, depending on loading order. Fixing this required to create prefixes for templates of plugins. Relative imports (think {% include "snippets/my_snippet.jinja2" %}) will now attempt to resolve against the current plugin. If that isn't possible, for now it will also be attempted to resolve globally against all registered templates and if a match is found, a deprecation will be logged. The latter behaviour will be removed in a future version of OctoPrint and if your plugin includes templates from other plugins you should now change it to using plugin prefixes if running on OctoPrint 1.8.0 or higher. Plugin prefixes are plugin_<plugin identifier>/, so for example, to include the settings pane of the bundled software update plugin, you'd now need to use plugin_softwareupdate/plugin_softwareupdate_settings.jinja2.

✋🧩 Heads-up for plugin authors: octoprint.util.bom_aware_open is now deprecated and will be removed in 2.0.0

If your code uses bom_aware_open, you should replace its use with the regular open with utf-8-sig encoding instead (or io.open in py2/3 compatibility mode).

✋🧩 Heads-up for plugin authors: octoprint.util.commandline.clean_ansi will no longer accept bytes in 2.0.0

If your code uses clean_ansi somewhere, make sure you supply it with str (formerly known as unicode) instead of bytes objects.

✨ Features & improvements

• #3261 - The temperature tab now has (optional) event markers for when a print gets started, paused, resumed, cancelled or finishes. (PR #4382)
• #3491 - Added new events FileMoved and FolderMoved, see the documentation for details on payload. (PR #4405)
• #3589 - Software Update: You may now enqueue software updates while a print is ongoing. They will then be started (after a short countdown) after successful completion of the print, or manually if you cancelled the print. You can manage the queue during the print to remove items you don't want enqueued after all, or add additional items to it as well. (PR #4364)
• #3868 - Optionally remember (and restore) the last opened folder in the files list in the browser if enabled in the features. (PR #4291)
• #4179 - Gcode Viewer: Every fifth grid line (= every 5cm) will now be drawn slightly thicker to allow for easier counting and mapping of physical location. (PR #4287)
• #4186 (PR) - Added support for changing order in which plugin hooks & implementation callbacks are called by OctoPrint.
• #4218 - Gcode Viewer: Prevent mouse wheel from scrolling entire page and panning the canvas. (PR #4274)
• #4221 (PR) - Improved performance of serial device lookup.
• #4222 (PR) - Improved performance of all yaml operations by using the C based loader when possible.
• #4223 (PR) - Added a ripgrep ignore file.
• #4225 (PR) - Added a first version for embedding WebRTC based webcams. Please note that this should be considered beta and is still subject to change while further work and research is being done on the backend side of things.
• #4227 - Added a help message that reminds users that username and password are case sensitive. (PR #4246).
• #4228 - Switch the code to use utf-8-sig encoding instead of bom_aware_open and deprecated bom_aware_open. It will be removed in 2.0.0.
• #4230 (PR) - Improved settings processing performance by optimizing deep_dict and using pickle for deep-copying.
• #4235 (PR) - Added a Server-Timing response header to the API responses to allow for better profiling.
• #4236 (PR) - Improved settings processing performance by reimplementing the underlying data structure as a flattened instead of a nested chainmap.
• #4237 - Added a heads-up for when no serial port could be found in the system, with a link to the corresponding FAQ entry with additional steps. Also added a notification for port auto detection failure, linking to the same FAQ entry. This behaviour can be disabled by setting serial.ignoreEmptyPorts to true in config.yaml.
• #4241 (PR) - Added tracebacks to TypeErrors caught in Plugin Settings.
• #4244 (PR) - Return to depend on frozendict under Python 3 instead of immutabledict, as it's now maintained again.
• #4280 (PR) - Websocket clients can now selectively subscribe to messages on the socket. See the docs for the new subscribe message on the push socket.
• #4289 (PR) - Add Python 3.10 to automatic tests and package classifiers.
• #4314 - Plugin Manager: It's now possible to bulk enable/disable plugins. This makes it easier for the user to locate plugins that are causing problems in the system.
• #4317 - Non-Gcode commands can now also be defined as long running, as long as they do not have any parameters.
• #4320 (PR) - Change some references links to https.
• #4322 (PR) - Drastically reduced bandwidth used by the web socket by enabling the permessage-deflate extension of the websocket protocol.
• #4324 (PR) - Virtual printer: Support for printer locking (Marlin's PASSWORD_FEATURE).
• #4332 - Software Update: Improved logging in case of failures in running update checks, e.g. GitHub release fetching with an outdated PAT. Failing requests of any kind now generate a log entry and are also reflected in the frontend, similar to rate limiting situations.
• #4337 (PR) - Plugin Manager: Added a new endpoint /plugin/pluginmanager/plugins/versions and associated PLUGIN_PLUGINMANAGER_LIST permission that allows to list installed...

1.7.3

This is a bugfix release for 1.7.x.

The heads-ups from 1.7.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

Bug fixes

• #4294 - Fix blacklist processing. (PR #4296)
• #4377 - Pin regex dependency to <2022.1.18 under Python 2, as that and later versions are Python-3-only. If you still haven't upgraded to Python 3, please do so already!

Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release, especially @kantlivelong for his PR!

More information

• Commits
• As this is a bugfix release, there were no release candidates

1.7.2

This is a bugfix release for 1.7.x.

The heads-ups from 1.7.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

Bug fixes

• #4293 - Fix double quoting of the resource ref on the files API. This was causing issues with the Cura plugin and other third party API clients.

Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release!

More information

• Commits
• As this is a bugfix release, there were no release candidates