From 2e5eb70db329d74f92c9807bbc5f64e4433ec045 Mon Sep 17 00:00:00 2001
From: "dr.lt.data" <Dr.Lt.Data@gmail.com>
Date: Mon, 22 Apr 2024 10:16:11 +0900
Subject: [PATCH] security fix

https://github.com/ltdrdata/ComfyUI-Manager/issues/594
---
 glob/manager_core.py   |  2 +-
 glob/manager_server.py | 16 ++++++----------
 js/common.js           | 10 ++++++++--
 3 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/glob/manager_core.py b/glob/manager_core.py
index ec446f71..5e411aa1 100644
--- a/glob/manager_core.py
+++ b/glob/manager_core.py
@@ -21,7 +21,7 @@ sys.path.append(glob_path)
 import cm_global
 from manager_util import *
 
-version = [2, 21, 2]
+version = [2, 21, 3]
 version_str = f"V{version[0]}.{version[1]}" + (f'.{version[2]}' if len(version) > 2 else '')
 
 comfyui_manager_path = os.path.abspath(os.path.join(os.path.dirname(__file__), '..'))
diff --git a/glob/manager_server.py b/glob/manager_server.py
index c8431f9b..289314c4 100644
--- a/glob/manager_server.py
+++ b/glob/manager_server.py
@@ -792,12 +792,10 @@ async def fix_custom_node(request):
     return web.Response(status=400)
 
 
-@PromptServer.instance.routes.get("/customnode/install/git_url")
+@PromptServer.instance.routes.post("/customnode/install/git_url")
 async def install_custom_node_git_url(request):
-    res = False
-    if "url" in request.rel_url.query:
-        url = request.rel_url.query['url']
-        res = core.gitclone_install([url])
+    url = await request.text()
+    res = core.gitclone_install([url])
 
     if res:
         print(f"After restarting ComfyUI, please refresh the browser.")
@@ -806,12 +804,10 @@ async def install_custom_node_git_url(request):
     return web.Response(status=400)
 
 
-@PromptServer.instance.routes.get("/customnode/install/pip")
+@PromptServer.instance.routes.post("/customnode/install/pip")
 async def install_custom_node_git_url(request):
-    res = False
-    if "packages" in request.rel_url.query:
-        packages = request.rel_url.query['packages']
-        core.pip_install(packages.split(' '))
+    packages = await request.text()
+    core.pip_install(packages.split(' '))
 
     return web.Response(status=200)
 
diff --git a/js/common.js b/js/common.js
index 0815c1eb..b4f12c41 100644
--- a/js/common.js
+++ b/js/common.js
@@ -89,7 +89,10 @@ export async function install_pip(packages) {
 	if(packages.includes('&'))
 		app.ui.dialog.show(`Invalid PIP package enumeration: '${packages}'`);
 
-	const res = await api.fetchApi(`/customnode/install/pip?packages=${packages}`);
+	const res = await api.fetchApi("/customnode/install/pip", {
+		method: "POST",
+		body: packages,
+	});
 
 	if(res.status == 200) {
 		app.ui.dialog.show(`PIP package installation is processed.<br>To apply the pip packages, please click the <button id='cm-reboot-button3'><font size='3px'>RESTART</font></button> button in ComfyUI.`);
@@ -121,7 +124,10 @@ export async function install_via_git_url(url, manager_dialog) {
 	app.ui.dialog.show(`Wait...<BR><BR>Installing '${url}'`);
 	app.ui.dialog.element.style.zIndex = 10010;
 
-	const res = await api.fetchApi(`/customnode/install/git_url?url=${url}`);
+	const res = await api.fetchApi("/customnode/install/git_url", {
+		method: "POST",
+		body: url,
+	});
 
 	if(res.status == 200) {
 		app.ui.dialog.show(`'${url}' is installed<BR>To apply the installed custom node, please <button id='cm-reboot-button4'><font size='3px'>RESTART</font></button> ComfyUI.`);