Skip to content
代码片段 群组 项目
提交 b1294fa4 编辑于 作者: m957ymj75urz's avatar m957ymj75urz
浏览文件

fix path traversal for /view

上级 5b425aaa
No related branches found
No related tags found
无相关合并请求
隐藏空白变更内容
行内 左右并排
显示
5 个添加1 个删除
server.py
+ 5
1
浏览文件 @ b1294fa4
......@@ -118,11 +118,15 @@ class PromptServer():
output_dir = os.path.join(os.path.dirname(os.path.realpath(__file__)), type)
if "subfolder" in request.rel_url.query:
output_dir = os.path.join(output_dir, request.rel_url.query["subfolder"])
full_output_dir = os.path.join(output_dir, request.rel_url.query["subfolder"])
if os.path.commonpath((os.path.realpath(full_output_dir), output_dir)) != output_dir:
return web.Response(status=403)
output_dir = full_output_dir
file = request.rel_url.query["file"]
file = os.path.basename(file)
file = os.path.join(output_dir, file)
if os.path.isfile(file):
return web.FileResponse(file)
......
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册