Skip to content

1.8.0
Compare
Choose a tag to compare
@foosel foosel released this 17 May 11:18
· 411 commits to master since this release
1.8.0
f430257

✋ Heads-ups

💥 OctoPrint 1.8.0 drops Python 2 support!

As previously announced on the OctoBlog and in OctoPrint On Air #43, OctoPrint 1.8.0 drops Python 2 support. In order to be able to install/update to it, you need to be running OctoPrint under Python 3 already, e.g. as shipped on OctoPi 0.18.0. Installing on Python 2 will fail. The Software Updater will also be redirected to a new OctoPrint Legacy repository for checking for OctoPrint updates if it detects that you are still running Python 2. As outlined in the blog post and the vlog, there are no more updates for OctoPrint 1.7/Python 2 planned. Update now or you will be left behind, including for most security fixes!

If you are unsure what version of Python your OctoPrint instance is running under, open the web interface and look into the lower left corner where it will tell you:

image

This is also covered in the FAQ.

🔒 OctoPrint 1.8.0 fixes some reported security issues, update ASAP!

While OctoPrint 1.8.0rc5 was undergoing testing, three security vulnerabilities were disclosed to me. These issues are fixed in the stable release of 1.8.0. Since these vulnerabilities are of low concern for instances that are not publicly exposed on the internet or other hostile networks, as strongly recommended, the fixes will not be backported to OctoPrint 1.7.x and thus instances still under Python 2.

Please update your OctoPrint instance to the latest stable version of OctoPrint 1.8.0 as soon as possible.

🧩 Heads-ups for plugin authors

Click to expand.

🧩 Importing Jinja2 templates from another plugin without an explicit prefix is now deprecated!

OctoPrint so far allowed (erroneously) to replace plugin templates of the same name in another plugin, depending on loading order. Fixing this required to create prefixes for templates of plugins. Relative imports (think {% include "snippets/my_snippet.jinja2" %}) will now attempt to resolve against the current plugin. If that isn't possible, for now it will also be attempted to resolve globally against all registered templates and if a match is found, a deprecation will be logged. The latter behaviour will be removed in a future version of OctoPrint and if your plugin includes templates from other plugins you should now change it to using plugin prefixes if running on OctoPrint 1.8.0 or higher. Plugin prefixes are plugin_<plugin identifier>/, so for example, to include the settings pane of the bundled software update plugin, you'd now need to use plugin_softwareupdate/plugin_softwareupdate_settings.jinja2.

🧩 octoprint.util.bom_aware_open is now deprecated and will be removed in 2.0.0

If your code uses bom_aware_open, you should replace its use with the regular open with utf-8-sig encoding instead (or io.open in py2/3 compatibility mode).

🧩 octoprint.util.commandline.clean_ansi will no longer accept bytes in 2.0.0

If your code uses clean_ansi somewhere, make sure you supply it with str (formerly known as unicode) instead of bytes objects.

🧩 Settings._config is read-only!

If your plugin code has been using Settings._config to modify what gets stored in config.yaml, this will no longer work. It never was a supported method, however it did work due to how things were implemented internally. Implementation has changed now so that any code doing this will no longer work - the nested dictionary returned by the Settings._config is only a copy of the internal data structure and thus any modifications will be dropped silently. A deprecation warning has been added just in case. Use the provided set and remove methods on the settings object instead please.

♻ Changes

🔒 Security fixes

  • CVE-2022-1430 - Fixed a Cross Site Scripting vulnerability in the login dialog. An attacker could send a login URL with a specially crafted redirect parameter to an instance admin that if used to login would allow the attacker to steal the "remember me" cookie. This could have then be used to gain access to the OctoPrint instance with the victim's credentials, if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). Thanks to "rajbabai8" for reporting and disclosing this reponsibly.
  • CVE-2022-1432 - Fixed a Cross Site Scripting vulnerability in the webcam stream URL test. An attacker could talk an instance administrator into inserting a specially crafted HTML/JS snippet into the webcam settings and then ask them to click "test", making the JS code run and potentially steal the remember me token. This could have then been used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). Thanks to "rajbabai8" for reporting and disclosing this reponsibly.
  • Fixed an open redirect vulnerability in the login dialog. An attacker could send a login URL with a redirect parameter pointing to an external page under their control to an instance admin that if used to login would redirect this URL, allowing the attacker to start a phishing attack. This is not directly exploitable by the attacker, but after a successful phishing attack and thus obtained credentials could be used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). Thanks to "rajbabai8" for reporting and disclosing this reponsibly.
  • Fixed a Cross Site Scripting vulnerability in the login dialog regarding the userId parameter. It is currently unconfirmed if this could have been used for an attack.
  • Set the "remember me" cookie to http only. This prevents an attacker from accessing the cookie via JavaScript, e.g. in the context of Cross Site Scripting attacks.

✨ Features & improvements

  • #3261 - The temperature tab now has (optional) event markers for when a print gets started, paused, resumed, cancelled or finishes. (PR #4382)
  • #3491 - Added new events FileMoved and FolderMoved, see the documentation for details on payload. (PR #4405)
  • #3589 - Software Update: You may now enqueue software updates while a print is ongoing. They will then be started (after a short countdown) after successful completion of the print, or manually if you cancelled the print. You can manage the queue during the print to remove items you don't want enqueued after all, or add additional items to it as well. (PR #4364)
  • #3868 - Optionally remember (and restore) the last opened folder in the files list in the browser if enabled in the features. (PR #4291)
  • #4179 - Gcode Viewer: Every fifth grid line (= every 5cm) will now be drawn slightly thicker to allow for easier counting and mapping of physical location. (PR #4287)
  • #4186 (PR) - Added support for changing order in which plugin hooks & implementation callbacks are called by OctoPrint.
  • #4218 - Gcode Viewer: Prevent mouse wheel from scrolling entire page and panning the canvas. (PR #4274)
  • #4221 (PR) - Improved performance of serial device lookup.
  • #4222 (PR) - Improved performance of all yaml operations by using the C based loader when possible.
  • #4223 (PR) - Added a ripgrep ignore file.
  • #4225 (PR) - Added a first version for embedding WebRTC based webcams. Please note that this should be considered beta and is still subject to change while further work and research is being done on the backend side of things.
  • #4227 - Added a help message that reminds users that username and password are case sensitive. (PR #4246).
  • #4228 - Switch the code to use utf-8-sig encoding instead of bom_aware_open and deprecated bom_aware_open. It will be removed in 2.0.0.
  • #4230 (PR) - Improved settings processing performance by optimizing deep_dict and using pickle for deep-copying.
  • #4235 (PR) - Added a Server-Timing response header to the API responses to allow for better profiling.
  • #4236 (PR) - Improved settings processing performance by reimplementing the underlying data structure as a flattened instead of a nested chainmap.
  • #4237 - Added a heads-up for when no serial port could be found in the system, with a link to the corresponding FAQ entry with additional steps. Also added a notification for port auto detection failure, linking to the same FAQ entry. This behaviour can be disabled by setting serial.ignoreEmptyPorts to true in config.yaml.
  • #4241 (PR) - Added tracebacks to TypeErrors caught in Plugin Settings.
  • #4244 (PR) - Return to depend on frozendict under Python 3 instead of immutabledict, as it's now maintained again.
  • #4280 (PR) - Websocket clients can now selectively subscribe to messages on the socket. See the docs for the new subscribe message on the push socket.
  • #4289 (PR) - Add Python 3.10 to automatic tests and package classifiers.
  • #4314 - Plugin Manager: It's now possible to bulk enable/disable plugins. This makes it easier for the user to locate plugins that are causing problems in the system.
  • #4317 - Non-Gcode commands can now also be defined as long running, as long as they do not have any parameters.
  • #4320 (PR) - Change some references links to https.
  • #4322 (PR) - Drastically reduced bandwidth used by the web socket by enabling the permessage-deflate extension of the websocket protocol.
  • #4324 (PR) - Virtual printer: Support for printer locking (Marlin's PASSWORD_FEATURE).
  • #4332 - Software Update: Improved logging in case of failures in running update checks, e.g. GitHub release fetching with an outdated PAT. Failing requests of any kind now generate a log entry and are also reflected in the frontend, similar to rate limiting situations.
  • #4337 (PR) - Plugin Manager: Added a new endpoint /plugin/pluginmanager/plugins/versions and associated PLUGIN_PLUGINMANAGER_LIST permission that allows to list installed plugins and their versions in a machine readable JSON format. Useful for 3rd party plugin to determine plugins available on the connected OctoPrint instance.
  • #4339 (PR) - Announcements: Improve performance by using a new encoding/decoding strategy for the cache and caching the parsed feed instead of the raw xml.
  • #4340 (PR) - Plugin Manager: Improve performance of plugin notification retrieval by caching parsed version structures.
  • #4352 - Event Manager: Added a note that event handlers are async.
  • #4353 - Expose configuration of default extrusions length on the UI (again) and also move it into the printer profile. (PR #4416)
  • #4356 - Added <noscript> to login page to give a heads-up if JS is disabled which is required for OctoPrint and its login page to function.
  • #4357 - Support for the "Host Shutdown" Action command can now be enabled so you can shut down the whole server via your printer's menu if supported by your firmware. Note that this disabled by default and has to be enabled via Settings > Serial Connection > Firmware & Protocol > Action Commands. (PR #4358)
  • #4363 - Software Update: New option force_reinstall for the pip updater. If set to true it will have the updater run a double install, once normal, once with --force-reinstall and --no-deps (to force a reinstall of the package but not all its dependencies).
  • #4363 - Plugin Manager & Software Update: Refactor pip error handling to be shared between Software Update, Plugin Manager and whatever else might need it.
  • #4368 - The Gcode command used to cancel an SD card print is now configurable and defaults to M25. (PR #4408)
  • #4370 (PR) - Timelapse: Recordings will now get a preview thumbnail rendered and displayed. A command line command has been added as well to generate thumbnails for already existing recordings via octoprint timelapse create_thumbnails, see octoprint timelapse create_thumbnails --help for usage information.
  • #4375 - Implement rotate & mirror functionality for HLS (& the new WebRTC) camera embeds. (PR #4378)
  • #4385 (PR) - Improve error reporting on failure to open serial port.
  • #4387 (PR) - Disable spell check on various search fields.
  • #4388 (PR) - Automatically parse additional temperature fields from M105 report/temperature autoreport and provide them on the internal and REST APIs.
  • #4390 (PR) - The encoding to use for the serial connection can now be configured via serial.encoding in config.yaml. It defaults to ascii but any other encoding recognized by Python can be used here if the printer requires it. Probably only relevant for now for very specific builds.
  • #4396 - Support --no-color command line argument and also NO_COLOR environment variable standard to disable coloring of standard (logging) output on command line. (PR #4402)
  • #4399 (PR) - Streamed ZIP downloads (e.g. the systeminfo bundle or bundled timelapses) now come with a Content-Length. Backport of PR #4313.
  • #4403 (PR) - New development related CLI command octoprint dev css:build. Can be used to run lessc against all relevant files. Note that you'll first need to install lessc via npm i -g less. For usage details see octoprint dev css:build --help.
  • #4423 - Expose serial.unknownCommandsNeedAck and serial.sendChecksumWithUnknownCommands in UI and assume them to be true if Prusa Firmware is detected to combat issues that might otherwise arise with MMU usage due to non-standard Tc and Tx commands. See also discussion in prusa3d/Prusa-Firmware#3411.
  • #4427 (PR) - Increase web socket connect timeout to reduce likelihood of less performant transport fallback in case of slow initial connection.
  • #4430 (PR) - Gcode Viewer: Improved overall memory utilization by switching underlying data structure from an AVL tree to a binary tree. As a welcome side effect, this also fixed #2243.
  • #4432 (PR) - Gcode Viewer: Further memory usage improvement by switching the line split of the loader from using a regex to using a simple string split.
  • #4437 (PR) - Support two digit flavors of G0 through G3 in Gcode Viewer and Gcode analysis (so, G00 through G03). Relevant for CNC applications.
  • #4443 (PR) - Software Update: Allow setting the GitHub Personal Access Token (to work around rate limiting issues) via the UI.
  • #4460 - Expose new config flag serial.ignoreEmptyPorts to ignore empty serial ports and maintain pre 1.8.0 default behaviour regarding the handling of the situation on the UI as well (see Serial Connection > General > Connection > Advanced Options > Ignore empty ports).
  • OctoPrint now requires Python 3.7 or newer. Starting with this release OctoPrint is Python 3 only. See also the heads-up above. Correspondingly also switched all links in the docs and the UI to the Python docs to refer to Python 3 docs instead of Python 2.
  • Added last safe mode date & reason to the system info bundle. This will allow to determine if safe mode was recently launched, and also allow to determine why it was launched.
  • Rephrased system info bundle sharing instructions and removed copy button for short system info text to discourage sharing that instead of the full bundle, which we've sadly seen a ton over the past few months.
  • Removed the webassets cache as it only makes a difference during development, and removing it closes a potential abuse vector.
  • Improved performance of CLI command listings.
  • Instead of silently ignoring a select/print on file upload if the necessary preconditions aren't met, include the effective select/print flags on the upload API and int he triggered UPLOAD event.
  • Update version requirement for PiSupport plugin to latest release
  • Harden against wonky firmware temperature responses that might lead to hotend or bed temperature values to be overwritten with something else by only ever using the first value for a sensor key seen in the response.
  • Application Keys: The plugin now supports a stand-alone authentication dialog which can be accessed via the auth_dialog property returned in response to an app token request. Third party clients can use this lightweight alternative to request an API key on behalf of a user without having to display/load the whole OctoPrint UI.
  • Application Keys: Add docs for new auth dialog work flow.
  • Discovery: Add new config options to ignore interfaces (plugins.discovery.ignoredInterfaces) and limit zeroconf to configured/not ignored interfaces only.
  • Gcode Viewer: Added more progress info during loading process.
  • Plugin Manager: Support .whl uploads as well.
  • Software Update: Improved the update & check buttons. "Update all" will now only update enabled items, "Update all available" (in the new dropdown) will updated enabled and muted items, "Check for updates" does what it always did, "Force check for updates" (dropdown) bypasses the cache, and notification muting and underlying logic is now explained in a footer.
  • Software Update: Put a stronger warning about automatic updates of pip in place.
  • Tracking: Include octopiuptodate_build from PiSupport Plugin, if set. This gives us a better overview on what specific environments to test and develop against.
  • Virtual Printer: Added ability to simulate broken Klipper MCU connection.
  • Translation improvements (PR #4290, PR #4385, PR #4386)
  • Cleaned up code here and there.

🐛 Bug fixes

  • #2243 (PR) - GCode Viewer: Properly display sequentially printed files. Welcome side effect of #4430.
  • #4153 - Fix default ffmpeg commandline (-framerate instead of -r) to ensure ffmpeg generates correct progress reports while rendering a timelapse (PR #4344)
  • #4212 - Fix file selection not properly updating when selecting a file to print from the printer controller.
  • #4238 - Software Update: Fix handling of plugin downgrades on release channel switch.
  • #4240 (PR) - Improve memory footprint of client side terminal by fixing a wrong use of _.map.
  • #4242 - Refocus username input field in the login form on authentication failure (PR #4249)
  • #4260 - Fixed the wrong behaviour that plugins could overwrite plugin templates of other plugins by giving them the same name by making plugin template includes relative and requiring prefixes to address templates of other plugins. See also the associated heads-up for plugin authors above (PR #4281)
  • #4299 - Don't try to enter cancelling state again if already in it.
  • #4316 - Fix timelapse temp folder configuration, which wasn't possible via the UI since 1.5.0.
  • #4321 (PR) - Fixed the offline indicator icon.
  • #4336 (PR) - Don't treat paused state as "ready to print" on APIs.
  • #4349 (PR) - Fix some issues where the timelapse documentation didn't match the implementation (by fixing the docs).
  • #4362 - Fix parsing of version numbers, no longer truncates version after first -.
  • #4363 - Plugin Manager & Software Update: Fix "already installed" detection for newer versions of pip.
  • #4365 - Fix failing timelapse snapshots if the printed file contains a %. (PR #4366)
  • #4367 - Fix error message displayed when attempting to upload a file that is already printed, now properly reflects the issue at hand.
  • #4380 - Fix connectivity check against IPV6 targets. OctoPrint will now first try to reach the host via IPV6 (if enabled), if that fails, fall back to IPV4, and only if that fails too report a connection failure.
  • #4392 - Fix an encoding bug in the clean_ansi helper used for cleaning pip output. Issue caused plugin installation/deinstallation/updates, OctoPrint updates and backups to fail against pip 22+ due to an introduction of a UTF-8 separator line in that.
  • #4396 - Fix colors of standard (logging) output on command line to be better suited for light backgrounds. (PR #4402)
  • #4404 (PR) - Fix less build under less v4
  • #4417 - Fix a faulty regex that caused custom events with uppercase identifiers to generated events names with a double _.
  • #4433 (PR) - Don't load Font Awesome twice.
  • #4439 (PR) - Software Update: Use the correct ignore_throttled setting.
  • #4449 (PR) - Gcode Viewer: Only clear state on event when idle.
  • #4453 (regression) - Improve resilience against broken plugin template configs.
  • #4454 (regression) - Fix a fatal error in the refactored settings hierarchy upon encountering an int key.
  • #4456 (regression) - Fix a serial loop crash when encountering a custom temperature entry (or garbage that looks like one) that matches the too broadly defined reserved identifier regex.
  • #4458 (regression) - Fix retrieval of full dict structures from the settings for which an empty default exists.
  • #4459 (regression) - GCode Viewer: Fix transmission of parsed layer data structure from the worker to the main thread.
  • #4463 (regression) - GCode Viewer: Fix viewer not showing the last layer.
  • #4479 (regression) - Further harden new settings structure against invalid data structures from third party plugins.
  • #4486 (regression) - Fix changing of folder paths via the settings.
  • Fix parsing of firmware capability lines containing the string NAME: getting matched by the M115 response parser instead of the capability parser, by moving the capability parser before the M115 response parser.
  • Fix firmware info inclusion in systeminfo.txt of system info bundle.
  • Improved error resilience in hook processing. Hooks running into errors could prevent commands to be sent to the printer altogether, which has now been rectified.
  • Got rid of a deprecation warning in the plugin sub system by refactoring some code.
  • Clear position recording flag in communication layer on cancel/pause preparation timeout.
  • Reset position data in communication layer on cancel/pause preparation.
  • Add some missing less 4 compatibility fixes
  • Work around a compatibility issue between latest werkzeug and flask-login releases by pinning werkzeug to 2.0.x.
  • (regression) Fix version requirement of PiSupport plugin
  • (regression) Fixed a potential race condition that could cause an Internal Server Error on initial page load (self-fixing on the next reload though). Likely a regression caused by the changes to the webassets cache handling.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this release, especially to @adamwolf, @ademuri, @cp2004, @crysxd, @DShenkle, @flaviut, @gdombiak, @GonzoDMX, @jneilliii, @johnboiles, @JoveToo, @kantlivelong, @kohend, @LazeMSS, @MartijnBraam, @NilsRo, @OllisGit, @pR0Ps, @QuinnDamerell, @rooterkyberian@Rotzbua, @surdu, @synman, @The-EG, @thelastWallE, @TylonHH and @vector76 for their PRs!

Also a big thank you to rajbabai8 for responsibly disclosing the security vulnerabilities that were fixed in this release.

🔗 More information

Assets 2