feat(security): use system user directory for manager data

Use folder_paths.get_system_user_directory("manager") to protect manager config and data from HTTP endpoint access. Ref: comfyanonymous/ComfyUI#10966
2025-12-16 01:57:04 +08:00 · 2025-12-03 02:34:57 +09:00 · 2025-12-03 02:34:57 +09:00 · c69e7bcf03
commit c69e7bcf03
parent 85ebcd9897
3 changed files with 6 additions and 6 deletions
--- a/comfyui_manager/common/context.py
+++ b/comfyui_manager/common/context.py
@ -34,7 +34,7 @@ manager_pip_blacklist_path = None
 manager_components_path = None
 manager_batch_history_path = None

-def update_user_directory(user_dir):
+def update_user_directory(manager_dir):
    global manager_files_path
    global manager_config_path
    global manager_channel_list_path
@ -45,7 +45,7 @@ def update_user_directory(user_dir):
    global manager_components_path
    global manager_batch_history_path

-    manager_files_path = os.path.abspath(os.path.join(user_dir, 'default', 'ComfyUI-Manager'))
+    manager_files_path = manager_dir
    if not os.path.exists(manager_files_path):
        os.makedirs(manager_files_path)

@ -73,7 +73,7 @@ def update_user_directory(user_dir):

 try:
    import folder_paths
-    update_user_directory(folder_paths.get_user_directory())
+    update_user_directory(folder_paths.get_system_user_directory("manager"))

 except Exception:
    # fallback:
--- a/comfyui_manager/prestartup_script.py
+++ b/comfyui_manager/prestartup_script.py
@ -80,7 +80,7 @@ cm_global.register_api('cm.is_import_failed_extension', is_import_failed_extensi
 comfyui_manager_path = os.path.abspath(os.path.dirname(__file__))

 custom_nodes_base_path = folder_paths.get_folder_paths('custom_nodes')[0]
-manager_files_path = os.path.abspath(os.path.join(folder_paths.get_user_directory(), 'default', 'ComfyUI-Manager'))
+manager_files_path = folder_paths.get_system_user_directory("manager")
 manager_pip_overrides_path = os.path.join(manager_files_path, "pip_overrides.json")
 manager_pip_blacklist_path = os.path.join(manager_files_path, "pip_blacklist.list")
 restore_snapshot_path = os.path.join(manager_files_path, "startup-scripts", "restore-snapshot.json")
@ -483,7 +483,7 @@ check_bypass_ssl()

 # Perform install
 processed_install = set()
-script_list_path = os.path.join(folder_paths.user_directory, "default", "ComfyUI-Manager", "startup-scripts", "install-scripts.txt")
+script_list_path = os.path.join(manager_files_path, "startup-scripts", "install-scripts.txt")
 pip_fixer = manager_util.PIPFixer(manager_util.get_installed_packages(), comfy_path, manager_files_path)


--- a/pyproject.toml
+++ b/pyproject.toml
@ -5,7 +5,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "comfyui-manager"
 license = { text = "GPL-3.0-only" }
-version = "4.0.3b3"
+version = "4.0.3b4"
 requires-python = ">= 3.9"
 description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI."
 readme = "README.md"