From 8eb773e39b561fff126bf9137b8a6947b0a0083c Mon Sep 17 00:00:00 2001 From: "Dr.Lt.Data" Date: Wed, 22 Apr 2026 09:24:19 +0900 Subject: [PATCH] fix(security): register extension.manager.supports_csrf_post feature flag (4.2.1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Expose CSRF-POST backend capability as a semantic contract via ComfyUI core's feature_flags mechanism, so frontends (ComfyUI_frontend, extensions) can detect it without parsing version strings. Pre-4.2.1 Manager does not set the flag — clients observe its absence and should treat the backend as "incompatible with POST-only state-mutation endpoints" and prompt the user to upgrade. Follow-up patch to 4.2 (PR #2818); no endpoint or security behavior change. Reported-by: XlabAI Team of Tencent Xuanwu Lab CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) --- CHANGELOG.md | 11 +++++++++++ comfyui_manager/__init__.py | 19 +++++++++++++++++++ pyproject.toml | 2 +- 3 files changed, 31 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a22b79e1..d492905f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,16 @@ All notable changes to **ComfyUI-Manager** are documented in this file. The format is based on [Keep a Changelog 1.1.0](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html). +## [4.2.1] - 2026-04-22 + +### Added + +- Server-push feature flag `extension.manager.supports_csrf_post` registered at + startup, allowing ComfyUI-frontend (and other clients) to detect + CSRF-POST backend support as a semantic capability contract, without + relying on version string parsing. Pre-4.2.1 Manager does not set the + flag — clients should treat its absence as 'incompatible with NEW_UI'. + ## [Unreleased] Security-hardening release on branch `fix/csrf-post-conversion`. Contains @@ -120,4 +130,5 @@ below before upgrading programmatic clients. perform the change from a trusted entry point. Read access via `GET` is unaffected. +[4.2.1]: https://github.com/Comfy-Org/ComfyUI-Manager/compare/v4.2...v4.2.1 [Unreleased]: https://github.com/Comfy-Org/ComfyUI-Manager/compare/v4.1b6...HEAD diff --git a/comfyui_manager/__init__.py b/comfyui_manager/__init__.py index 49728f79..7f01600c 100644 --- a/comfyui_manager/__init__.py +++ b/comfyui_manager/__init__.py @@ -6,6 +6,25 @@ from .common import manager_security from comfy.cli_args import args +# Register server-push feature flag so frontends (ComfyUI_frontend) can +# detect CSRF-POST backend capability as a semantic contract (vs version +# string parsing). See PR #2818 for context; cmfront uses this flag to +# decide whether to invoke POST state-mutation endpoints. Pre-4.2.1 Manager +# does not set this flag — cmfront treats its absence as 'incompatible'. +try: + from comfy_api import feature_flags as _core_feature_flags + _mgr_flags = ( + _core_feature_flags.SERVER_FEATURE_FLAGS + .setdefault('extension', {}) + .setdefault('manager', {}) + ) + _mgr_flags['supports_csrf_post'] = True +except ImportError: + # Older ComfyUI core without comfy_api.feature_flags module. + # Manager functions but cmfront will not observe the flag. + pass + + def prestartup(): from . import prestartup_script # noqa: F401 logging.info('[PRE] ComfyUI-Manager') diff --git a/pyproject.toml b/pyproject.toml index d1aaa1cb..6ab85293 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "setuptools.build_meta" [project] name = "comfyui-manager" license = { text = "GPL-3.0-only" } -version = "4.2" +version = "4.2.1" requires-python = ">= 3.9" description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI." readme = "README.md"