wangbo/ComfyUI-Manager
1
0
Fork 0
mirror of https://github.com/Comfy-Org/ComfyUI-Manager.git synced 2026-05-14 19:07:28 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

chore: remove em-dashes from comments

Browse Source
This commit is contained in:
SAY-5 2026-05-11 13:01:13 -07:00
parent 481c4b6772
commit 46566848bb
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
glob/manager_server.py
View File

@ -333,7 +333,7 @@ def _reject_simple_form_content_type(request):
Applied ONLY to POST handlers that do not consume a request body (e.g., Applied ONLY to POST handlers that do not consume a request body (e.g.,
/snapshot/save, /manager/queue/{reset,start,update_comfyui}, /snapshot/save, /manager/queue/{reset,start,update_comfyui},
/manager/reboot). These are vulnerable to cross-origin <form method=POST> /manager/reboot). These are vulnerable to cross-origin <form method=POST>
attacks because the handler accepts the request without parsing any body attacks because the handler accepts the request without parsing any body,
the attacker needs no ability to forge a valid payload, only to point a the attacker needs no ability to forge a valid payload, only to point a
hidden form at the URL. hidden form at the URL.
@ -342,8 +342,8 @@ def _reject_simple_form_content_type(request):
body because the browser refuses to send ``application/json`` without a body because the browser refuses to send ``application/json`` without a
CORS preflight, which this server does not answer. CORS preflight, which this server does not answer.
DO NOT add this gate to body-reading handlers redundant and UX-breaking. DO NOT add this gate to body-reading handlers, redundant and UX-breaking.
DO NOT remove this gate from no-body handlers this is the bypass vector. DO NOT remove this gate from no-body handlers, this is the bypass vector.
aiohttp's ``request.content_type`` normalizes the header (lower-cases, aiohttp's ``request.content_type`` normalizes the header (lower-cases,
strips parameters), so ``multipart/form-data; boundary=----X`` is compared strips parameters), so ``multipart/form-data; boundary=----X`` is compared
@ -353,7 +353,7 @@ def _reject_simple_form_content_type(request):
web.Response(status=400) when the request has a simple-form web.Response(status=400) when the request has a simple-form
Content-Type that must be rejected. None when the request is allowed Content-Type that must be rejected. None when the request is allowed
to proceed (no Content-Type, application/json, or any non-simple to proceed (no Content-Type, application/json, or any non-simple
Content-Type, or no request object internal caller). Content-Type, or no request object, internal caller).
""" """
# Internal callers (e.g. legacy-UI batch flows) invoke route handlers # Internal callers (e.g. legacy-UI batch flows) invoke route handlers
# directly with request=None; there is no Content-Type to gate. # directly with request=None; there is no Content-Type to gate.

2
tests/test_csrf_content_type_helper.py
View File

@ -23,7 +23,7 @@ from aiohttp.test_utils import TestClient, TestServer
# Parse the helper from manager_server.py without importing it, to avoid # Parse the helper from manager_server.py without importing it, to avoid
# pulling in the full ComfyUI/PromptServer stack. Note: we intentionally do # pulling in the full ComfyUI/PromptServer stack. Note: we intentionally do
# NOT add the `glob/` directory to sys.path the dir name would shadow # NOT add the `glob/` directory to sys.path, the dir name would shadow
# Python's stdlib `glob` module and break pytest collection. # Python's stdlib `glob` module and break pytest collection.
REPO_ROOT = Path(__file__).resolve().parent.parent REPO_ROOT = Path(__file__).resolve().parent.parent