mirror of
https://github.com/Comfy-Org/ComfyUI-Manager.git
synced 2026-05-08 16:12:35 +08:00
4410ebc6a6
Defense-in-depth over GET→POST alone: reject the three CORS-safelisted simple-form Content-Types (x-www-form-urlencoded, multipart/form-data, text/plain) on 16 no-body POST handlers (glob + legacy) to block <form method=POST> CSRF that bypasses method-only gating. Move comfyui_switch_version to a JSON body so the preflight requirement applies. Split db_mode/policy/update/channel_url_list into GET(read) + POST(write). Tighten do_fix (high → high+) and gate three previously-ungated config setters at middle. Resynchronize openapi.yaml (27 paths, 30 operations, ComfyUISwitchVersionParams as a shared $ref component). Add E2E harness variants, Playwright config, CSRF/secgate suites, 39-endpoint coverage, and a CHANGELOG. Breaking: legacy per-op POST routes (install/uninstall/fix/disable/update/ reinstall/abort_current) are removed; callers already use queue/batch. Legacy /manager/notice (v1) is removed; /v2/manager/notice is retained. Reported-by: XlabAI Team of Tencent Xuanwu Lab CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
29 lines
318 B
Plaintext
29 lines
318 B
Plaintext
__pycache__/
|
|
.idea/
|
|
.vscode/
|
|
.history/
|
|
*.code-workspace
|
|
.tmp
|
|
.cache
|
|
config.ini
|
|
snapshots/**
|
|
startup-scripts/**
|
|
.openart_key
|
|
.youml
|
|
matrix_auth
|
|
channels.list
|
|
comfyworkflows_sharekey
|
|
github-stats-cache.json
|
|
pip_overrides.json
|
|
*.json
|
|
check2.sh
|
|
/venv/
|
|
build
|
|
dist
|
|
*.egg-info
|
|
.env
|
|
.claude
|
|
test_venv
|
|
node_modules/
|
|
artifacts/
|