fix(security): register extension.manager.supports_csrf_post feature flag (4.2.1)

Expose CSRF-POST backend capability as a semantic contract via ComfyUI core's feature_flags mechanism, so frontends (ComfyUI_frontend, extensions) can detect it without parsing version strings. Pre-4.2.1 Manager does not set the flag — clients observe its absence and should treat the backend as "incompatible with POST-only state-mutation endpoints" and prompt the user to upgrade. Follow-up patch to 4.2 (PR #2818); no endpoint or security behavior change. Reported-by: XlabAI Team of Tencent Xuanwu Lab CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
2026-05-10 00:52:32 +08:00 · 2026-04-22 09:24:19 +09:00 · 2026-04-22 09:24:19 +09:00 · 8eb773e39b
commit 8eb773e39b
parent 4410ebc6a6
3 changed files with 31 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,16 @@ All notable changes to **ComfyUI-Manager** are documented in this file.
 The format is based on [Keep a Changelog 1.1.0](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html).

+## [4.2.1] - 2026-04-22
+
+### Added
+
+- Server-push feature flag `extension.manager.supports_csrf_post` registered at
+  startup, allowing ComfyUI-frontend (and other clients) to detect
+  CSRF-POST backend support as a semantic capability contract, without
+  relying on version string parsing. Pre-4.2.1 Manager does not set the
+  flag — clients should treat its absence as 'incompatible with NEW_UI'.
+
 ## [Unreleased]

 Security-hardening release on branch `fix/csrf-post-conversion`. Contains
@ -120,4 +130,5 @@ below before upgrading programmatic clients.
  perform the change from a trusted entry point. Read access via `GET` is
  unaffected.

+[4.2.1]: https://github.com/Comfy-Org/ComfyUI-Manager/compare/v4.2...v4.2.1
 [Unreleased]: https://github.com/Comfy-Org/ComfyUI-Manager/compare/v4.1b6...HEAD
--- a/comfyui_manager/init.py
+++ b/comfyui_manager/init.py
@ -6,6 +6,25 @@ from .common import manager_security
 from comfy.cli_args import args


+# Register server-push feature flag so frontends (ComfyUI_frontend) can
+# detect CSRF-POST backend capability as a semantic contract (vs version
+# string parsing). See PR #2818 for context; cmfront uses this flag to
+# decide whether to invoke POST state-mutation endpoints. Pre-4.2.1 Manager
+# does not set this flag — cmfront treats its absence as 'incompatible'.
+try:
+    from comfy_api import feature_flags as _core_feature_flags
+    _mgr_flags = (
+        _core_feature_flags.SERVER_FEATURE_FLAGS
+        .setdefault('extension', {})
+        .setdefault('manager', {})
+    )
+    _mgr_flags['supports_csrf_post'] = True
+except ImportError:
+    # Older ComfyUI core without comfy_api.feature_flags module.
+    # Manager functions but cmfront will not observe the flag.
+    pass
+
+
 def prestartup():
    from . import prestartup_script  # noqa: F401
    logging.info('[PRE] ComfyUI-Manager')
--- a/pyproject.toml
+++ b/pyproject.toml
@ -5,7 +5,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "comfyui-manager"
 license = { text = "GPL-3.0-only" }
-version = "4.2"
+version = "4.2.1"
 requires-python = ">= 3.9"
 description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI."
 readme = "README.md"