mirror of
https://github.com/comfyanonymous/ComfyUI.git
synced 2025-03-15 14:09:36 +00:00
PromptServer: Return 400 for empty filename param (#6504)
This commit is contained in:
parent
507199d9a8
commit
3a3910f91d
@ -329,6 +329,9 @@ class PromptServer():
|
|||||||
original_ref = json.loads(post.get("original_ref"))
|
original_ref = json.loads(post.get("original_ref"))
|
||||||
filename, output_dir = folder_paths.annotated_filepath(original_ref['filename'])
|
filename, output_dir = folder_paths.annotated_filepath(original_ref['filename'])
|
||||||
|
|
||||||
|
if not filename:
|
||||||
|
return web.Response(status=400)
|
||||||
|
|
||||||
# validation for security: prevent accessing arbitrary path
|
# validation for security: prevent accessing arbitrary path
|
||||||
if filename[0] == '/' or '..' in filename:
|
if filename[0] == '/' or '..' in filename:
|
||||||
return web.Response(status=400)
|
return web.Response(status=400)
|
||||||
@ -370,6 +373,9 @@ class PromptServer():
|
|||||||
filename = request.rel_url.query["filename"]
|
filename = request.rel_url.query["filename"]
|
||||||
filename,output_dir = folder_paths.annotated_filepath(filename)
|
filename,output_dir = folder_paths.annotated_filepath(filename)
|
||||||
|
|
||||||
|
if not filename:
|
||||||
|
return web.Response(status=400)
|
||||||
|
|
||||||
# validation for security: prevent accessing arbitrary path
|
# validation for security: prevent accessing arbitrary path
|
||||||
if filename[0] == '/' or '..' in filename:
|
if filename[0] == '/' or '..' in filename:
|
||||||
return web.Response(status=400)
|
return web.Response(status=400)
|
||||||
|
Loading…
Reference in New Issue
Block a user