wangbo/ComfyUI
1
0
Fork 0
mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2026-06-13 01:30:32 +08:00
Code Issues Actions 20 Packages Projects Releases Wiki Activity

fix: prevent symlink-based path traversal in /view endpoint

Browse Source 
Resolve symlinks before path validation to prevent attackers from
using symlinks to read arbitrary files outside allowed directories.

Previously, os.path.commonpath() validation occurred before symlink
resolution, allowing attackers to create symlinks in input/output/temp
directories pointing to sensitive files like /etc/passwd or SSH keys.

The fix uses os.path.realpath() to resolve symlinks before checking
if the path is within allowed directories.

Fixes #12285

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Mr-Neutr0n 2026-02-05 01:30:26 +05:30
parent e77b34dfea
commit d50064aa8b
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server.py
View File

@ -495,7 +495,10 @@ class PromptServer():
if "subfolder" in request.rel_url.query:
full_output_dir = os.path.join(output_dir, request.rel_url.query["subfolder"])
if os.path.commonpath((os.path.abspath(full_output_dir), output_dir)) != output_dir:
# Resolve symlinks BEFORE validation to prevent symlink-based path traversal
real_output_dir = os.path.realpath(full_output_dir)
real_base_dir = os.path.realpath(output_dir)
if not real_output_dir.startswith(real_base_dir + os.sep) and real_output_dir != real_base_dir:
return web.Response(status=403)
output_dir = full_output_dir