You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
approvedIssue has been approved by the bot or manually for further processingbugIssue describes a bugdoneDone but not yet releasedfrontendRelated to the frontend
OctoPrint's client side getCookieSuffix is currently only replacing the first occurrence of / in the path for the R suffix component with a |. It should be replacing all.
Therefore something like /api/hassio/<token> gets turned into _P443_R|api/hassio_ingress/<token> instead of _P443_R|api|hassio_ingress|<token>.
This breaks CSRF validation in setups where OctoPrint is accessed through script paths with multiple path components.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
approvedIssue has been approved by the bot or manually for further processingbugIssue describes a bugdoneDone but not yet releasedfrontendRelated to the frontend
Problem
OctoPrint's client side
getCookieSuffix
is currently only replacing the first occurrence of/
in the path for theR
suffix component with a|
. It should be replacing all.Therefore something like
/api/hassio/<token>
gets turned into_P443_R|api/hassio_ingress/<token>
instead of_P443_R|api|hassio_ingress|<token>
.This breaks CSRF validation in setups where OctoPrint is accessed through script paths with multiple path components.
Solution
In this line replace
with
Additional information
As mentioned on Discord.
The text was updated successfully, but these errors were encountered: