wangbo/ComfyUI-Manager
1
0
Fork 0
mirror of https://github.com/Comfy-Org/ComfyUI-Manager.git synced 2025-12-21 20:30:48 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fixed: robust validation when model downloading

Browse Source
This commit is contained in:
Dr.Lt.Data 2025-03-12 21:10:02 +09:00
parent 4566c585db
commit bbb54d4a08
3 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
glob/manager_core.py
View File

@ -43,7 +43,7 @@ import manager_downloader
from node_package import InstalledNodePackage from node_package import InstalledNodePackage
version_code = [3, 30, 7] version_code = [3, 30, 8]
version_str = f"V{version_code[0]}.{version_code[1]}" + (f'.{version_code[2]}' if len(version_code) > 2 else '') version_str = f"V{version_code[0]}.{version_code[1]}" + (f'.{version_code[2]}' if len(version_code) > 2 else '')

7
glob/manager_server.py
View File

@ -273,7 +273,7 @@ import zipfile
import urllib.request import urllib.request
def get_model_dir(data, show_log=False): def get_model_dir(data, show_log=False) -> str | None:
if 'download_model_base' in folder_paths.folder_names_and_paths: if 'download_model_base' in folder_paths.folder_names_and_paths:
models_base = folder_paths.folder_names_and_paths['download_model_base'][0][0] models_base = folder_paths.folder_names_and_paths['download_model_base'][0][0]
else: else:
@ -281,6 +281,11 @@ def get_model_dir(data, show_log=False):
def resolve_custom_node(save_path): def resolve_custom_node(save_path):
save_path = save_path[13:] # remove 'custom_nodes/' save_path = save_path[13:] # remove 'custom_nodes/'
# NOTE: Validate to prevent path traversal.
if save_path.startswith(os.path.sep) or ':' in save_path:
return None
repo_name = save_path.replace('\\','/').split('/')[0] # get custom node repo name repo_name = save_path.replace('\\','/').split('/')[0] # get custom node repo name
# NOTE: The creation of files within the custom node path should be removed in the future. # NOTE: The creation of files within the custom node path should be removed in the future.

2
pyproject.toml
View File

@ -1,7 +1,7 @@
[project] [project]
name = "comfyui-manager" name = "comfyui-manager"
description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI." description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI."
version = "3.30.7" version = "3.30.8"
license = { file = "LICENSE.txt" } license = { file = "LICENSE.txt" }
dependencies = ["GitPython", "PyGithub", "matrix-client==0.4.0", "transformers", "huggingface-hub>0.20", "typer", "rich", "typing-extensions", "toml", "uv", "chardet"] dependencies = ["GitPython", "PyGithub", "matrix-client==0.4.0", "transformers", "huggingface-hub>0.20", "typer", "rich", "typing-extensions", "toml", "uv", "chardet"]