From 3a3910f91dc14eccde3d991bbd74aa519f3fb95d Mon Sep 17 00:00:00 2001
From: catboxanon <122327233+catboxanon@users.noreply.github.com>
Date: Sat, 18 Jan 2025 17:47:33 -0500
Subject: [PATCH] PromptServer: Return 400 for empty filename param (#6504)

---
 server.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/server.py b/server.py
index bae898ef5..88c163fc7 100644
--- a/server.py
+++ b/server.py
@@ -329,6 +329,9 @@ class PromptServer():
                 original_ref = json.loads(post.get("original_ref"))
                 filename, output_dir = folder_paths.annotated_filepath(original_ref['filename'])
 
+                if not filename:
+                    return web.Response(status=400)
+
                 # validation for security: prevent accessing arbitrary path
                 if filename[0] == '/' or '..' in filename:
                     return web.Response(status=400)
@@ -370,6 +373,9 @@ class PromptServer():
                 filename = request.rel_url.query["filename"]
                 filename,output_dir = folder_paths.annotated_filepath(filename)
 
+                if not filename:
+                    return web.Response(status=400)
+
                 # validation for security: prevent accessing arbitrary path
                 if filename[0] == '/' or '..' in filename:
                     return web.Response(status=400)