CVS commit: pkgsrc/print/py-octoprint

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Sun Jan 19 16:13:21 UTC 2025

Modified Files:
        pkgsrc/print/py-octoprint: Makefile distinfo

Log Message:
py-octoprint: updated to 1.10.3

1.10.3

Changes

Security fixes

Severity Moderate (5.5): OctoPrint versions up until and including 1.10.2 are vulnerable to reflected XSS vulnerabilities through its Jinja2 template system, as this is not configured to enforce 
automatic escaping. This affects, among other places, the login dialog and the standalone application key confirmation dialog.

An attacker who successfully talked a victim into clicking on or through a malicious third party app successfully redirected a victim to a specially crafted link could use this to retrieve or modify 
sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way.

The above mentioned specific vulnerabilities of the login dialog and the standalone application key confirmation dialog have been fixed in 1.10.3 by individual escaping of the detected locations. A 
global change throughout all of OctoPrint's templating system with the upcoming 1.11.0 release will handle this further, switching to globally enforced automatic escaping and thus reducing the attack 
surface in general.

The latter will also improve the security of third party plugins. During a transition period, third party plugins will be able to opt into the automatic escaping. With OctoPrint 1.13.0, automatic 
escaping will be switched over to be enforced even for third party plugins, unless they explicitly opt-out.

See also the GitHub Security Advisory and CVE-2024-49377.

Severity Moderate (5.3): OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint 
browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password.

An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted.

See also the GitHub Security Advisory and CVE-2024-51493.

Minor Security fixes

Core,: Use secrets lib to generate Flask secret key, API keys and user session IDs.

Discovery Plugin: Removed version number from discovery.xml of SSDP discovery. Combats information leakage.

GCODE Viewer Plugin: Limited access to skip_until check API to available GCODE_VIEWER and FILES_DOWNLOAD permissions. Combats information leakage.

Bug fixes

Core

Fixed a typo where the config setting server.reverseProxy.trustedUpstream was used instead of server.reverseProxy.trustedDownstream. Also made the SockJS trusted proxy check align with that of Flask 
& Tornado.
Fixed file list cache being created before all extension tree providing plugins have had a chance to act.

Plugin Manager

Fixed dequeuing of plugin installs.


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 pkgsrc/print/py-octoprint/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/print/py-octoprint/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/print/py-octoprint/Makefile
diff -u pkgsrc/print/py-octoprint/Makefile:1.9 pkgsrc/print/py-octoprint/Makefile:1.10
--- pkgsrc/print/py-octoprint/Makefile:1.9      Wed Sep 18 08:12:19 2024
+++ pkgsrc/print/py-octoprint/Makefile  Sun Jan 19 16:13:21 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.9 2024/09/18 08:12:19 adam Exp $
+# $NetBSD: Makefile,v 1.10 2025/01/19 16:13:21 adam Exp $
 
-DISTNAME=      octoprint-1.10.2
+DISTNAME=      octoprint-1.10.3
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    print python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=O/OctoPrint/}
@@ -71,8 +71,8 @@ TEST_DEPENDS+=        ${PYPKGPREFIX}-mock>=5.1.
 USE_LANGUAGES= # none
 
 post-install:
-       ${MV} ${DESTDIR}${PREFIX}/bin/octoprint \
-               ${DESTDIR}${PREFIX}/bin/octoprint-${PYVERSSUFFIX} || ${TRUE}
+       cd ${DESTDIR}${PREFIX}/bin && \
+       ${MV} octoprint octoprint-${PYVERSSUFFIX} || ${TRUE}
 
 .include "../../lang/python/wheel.mk"
 .include "../../mk/bsd.pkg.mk"

Index: pkgsrc/print/py-octoprint/distinfo
diff -u pkgsrc/print/py-octoprint/distinfo:1.6 pkgsrc/print/py-octoprint/distinfo:1.7
--- pkgsrc/print/py-octoprint/distinfo:1.6      Wed Sep 18 08:12:19 2024
+++ pkgsrc/print/py-octoprint/distinfo  Sun Jan 19 16:13:21 2025
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.6 2024/09/18 08:12:19 adam Exp $
+$NetBSD: distinfo,v 1.7 2025/01/19 16:13:21 adam Exp $
 
-BLAKE2s (octoprint-1.10.2.tar.gz) = b2ff6c02043b5b5832a9be2d1a0de29b405c4c6477952529e3ead8ed2e518a80
-SHA512 (octoprint-1.10.2.tar.gz) = e5fb4e7e1269e53ce646a4126c257089d839661d6184b87ae5fffe64b83df69efea6c1eb0e24565944750e21ea7bc19239ddf8596bd85cd3c72456e3e62648c6
-Size (octoprint-1.10.2.tar.gz) = 3127351 bytes
+BLAKE2s (octoprint-1.10.3.tar.gz) = 4d3a1e5b1ce792d4876ad6c8fc3dfd1302a7c324e6c89af54801aeb4e69842bf
+SHA512 (octoprint-1.10.3.tar.gz) = b394de760947121992ef456d6c2d363759118830f5d49ffe8c5c56ab8f29c54a0a493dfa5d04ab28257a02a07f1533dd9e6e3ce3abfb9b0120cbd93ccd6a792b
+Size (octoprint-1.10.3.tar.gz) = 3127867 bytes