Authentication Bypass by Spoofing

Summary

OctoPrint provides a web interface for controlling consumer 3D printers. In OctoPrint versions prior to 1.10.1 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If `autologin` is not enabled, this vulnerability does not have any impact. Until the patch has been applied, OctoPrint administrators who have `autologin` enabled on their instances should disable it and/or make the instance inaccessible from potentially hostile networks like the internet.