wangbo/ComfyUI-Manager
1
0
Fork 0
mirror of https://github.com/Comfy-Org/ComfyUI-Manager.git synced 2026-05-09 00:22:51 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
4410ebc6a6
ComfyUI-Manager/tests/e2e/scripts/start_comfyui_legacy.sh
Dr.Lt.Data 4410ebc6a6
Some checks are pending
Publish to PyPI / build-and-publish (push) Waiting to run
Details
Python Linting / Run Ruff (push) Waiting to run
Details
fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818) 
Defense-in-depth over GET→POST alone: reject the three CORS-safelisted
simple-form Content-Types (x-www-form-urlencoded, multipart/form-data,
text/plain) on 16 no-body POST handlers (glob + legacy) to block
<form method=POST> CSRF that bypasses method-only gating. Move
comfyui_switch_version to a JSON body so the preflight requirement applies.
Split db_mode/policy/update/channel_url_list into GET(read) + POST(write).
Tighten do_fix (high → high+) and gate three previously-ungated config
setters at middle. Resynchronize openapi.yaml (27 paths, 30 operations,
ComfyUISwitchVersionParams as a shared $ref component). Add E2E harness
variants, Playwright config, CSRF/secgate suites, 39-endpoint coverage,
and a CHANGELOG.

Breaking: legacy per-op POST routes (install/uninstall/fix/disable/update/
reinstall/abort_current) are removed; callers already use queue/batch.
Legacy /manager/notice (v1) is removed; /v2/manager/notice is retained.

Reported-by: XlabAI Team of Tencent Xuanwu Lab
CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
2026-04-22 05:04:30 +09:00

28 lines
1.1 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# start_comfyui_legacy.sh — Thin wrapper that launches ComfyUI in LEGACY UI mode.
#
# Delegates to start_comfyui.sh with ENABLE_LEGACY_UI=1. The underlying script
# translates that into --enable-manager-legacy-ui on main.py, which registers
# the legacy Manager dialog frontend and routes POST /v2/manager/queue/* to
# the legacy handler module (legacy/manager_server.py).
#
# Use this wrapper for Playwright legacy-UI tests (tests/playwright/legacy-ui-*).
# Do NOT use for pytest suites that hit glob-only v2 endpoints (e.g.
# /v2/manager/queue/task), because glob/manager_server and legacy/manager_server
# are mutex-loaded — see comfyui_manager/__init__.py::start().
#
# Input env vars (forwarded to start_comfyui.sh):
# E2E_ROOT — required
# PORT — default 8199
# TIMEOUT — default 120
#
# Output (last line on success, inherited from start_comfyui.sh):
# COMFYUI_PID=<pid> PORT=<port>
#
# Exit: 0=ready, 1=timeout/failure
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
exec env ENABLE_LEGACY_UI=1 bash "$SCRIPT_DIR/start_comfyui.sh" "$@"
Reference in New Issue View Git Blame Copy Permalink