Merge 5585cca20b into 6bcd8b96ab

Revert "Fix Content-Disposition header missing 'attachment;' prefix (#13093 )" (#13733 )
This reverts commit ea6880b04b.
2026-05-25 08:27:25 +08:00 · 2026-05-07 04:50:26 +05:30 · 2026-05-06 10:08:35 -07:00 · 2026-04-29 06:22:31 +00:00 · 2026-04-29 05:56:01 +00:00
2 changed files with 18 additions and 5 deletions
--- a/api_server/routes/internal/internal_routes.py
+++ b/api_server/routes/internal/internal_routes.py
@ -3,6 +3,7 @@ from typing import Optional
 from folder_paths import folder_names_and_paths, get_directory_by_type
 from api_server.services.terminal_service import TerminalService
 import app.logger
+import ipaddress
 import os

 class InternalRoutes:
@ -72,7 +73,19 @@ class InternalRoutes:

    def get_app(self):
        if self._app is None:
-            self._app = web.Application()
+            self._app = web.Application(middlewares=[self._local_only_middleware])
            self.setup_routes()
            self._app.add_routes(self.routes)
        return self._app
+
+    @web.middleware
+    async def _local_only_middleware(self, request, handler):
+        remote = request.remote
+        if remote is None:
+            raise web.HTTPForbidden(reason="Internal endpoints are only accessible from localhost")
+        try:
+            if not ipaddress.ip_address(remote).is_loopback:
+                raise web.HTTPForbidden(reason="Internal endpoints are only accessible from localhost")
+        except ValueError:
+            raise web.HTTPForbidden(reason="Internal endpoints are only accessible from localhost")
+        return await handler(request)
--- a/server.py
+++ b/server.py
@ -560,7 +560,7 @@ class PromptServer():
                            buffer.seek(0)

                            return web.Response(body=buffer.read(), content_type=f'image/{image_format}',
-                                                headers={"Content-Disposition": f"attachment; filename=\"{filename}\""})
+                                                headers={"Content-Disposition": f"filename=\"{filename}\""})

                    if 'channel' not in request.rel_url.query:
                        channel = 'rgba'
@ -580,7 +580,7 @@ class PromptServer():
                            buffer.seek(0)

                            return web.Response(body=buffer.read(), content_type='image/png',
-                                                headers={"Content-Disposition": f"attachment; filename=\"{filename}\""})
+                                                headers={"Content-Disposition": f"filename=\"{filename}\""})

                    elif channel == 'a':
                        with Image.open(file) as img:
@ -597,7 +597,7 @@ class PromptServer():
                            alpha_buffer.seek(0)

                            return web.Response(body=alpha_buffer.read(), content_type='image/png',
-                                                headers={"Content-Disposition": f"attachment; filename=\"{filename}\""})
+                                                headers={"Content-Disposition": f"filename=\"{filename}\""})
                    else:
                        # Use the content type from asset resolution if available,
                        # otherwise guess from the filename.
@ -614,7 +614,7 @@ class PromptServer():
                        return web.FileResponse(
                            file,
                            headers={
-                                "Content-Disposition": f"attachment; filename=\"{filename}\"",
+                                "Content-Disposition": f"filename=\"{filename}\"",
                                "Content-Type": content_type
                            }
                        )
Author	SHA1	Message	Date
orbisai0security	d6a42e7e3a	Merge `5585cca20b` into `6bcd8b96ab`	2026-05-07 04:50:26 +05:30
guill	6bcd8b96ab	Revert "Fix Content-Disposition header missing 'attachment;' prefix (#13093 )" (#13733 ) Some checks are pending Python Linting / Run Ruff (push) Waiting to run Details Python Linting / Run Pylint (push) Waiting to run Details Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.10, [self-hosted Linux], stable) (push) Waiting to run Details Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.11, [self-hosted Linux], stable) (push) Waiting to run Details Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.12, [self-hosted Linux], stable) (push) Waiting to run Details Full Comfy CI Workflow Runs / test-unix-nightly (12.1, , linux, 3.11, [self-hosted Linux], nightly) (push) Waiting to run Details Execution Tests / test (macos-latest) (push) Waiting to run Details Execution Tests / test (ubuntu-latest) (push) Waiting to run Details Execution Tests / test (windows-latest) (push) Waiting to run Details Test server launches without errors / test (push) Waiting to run Details Unit Tests / test (macos-latest) (push) Waiting to run Details Unit Tests / test (ubuntu-latest) (push) Waiting to run Details Unit Tests / test (windows-2022) (push) Waiting to run Details This reverts commit `ea6880b04b`.	2026-05-06 10:08:35 -07:00
orbisai0security	5585cca20b	Apply code changes: @orbisai0security can you address code review comm...	2026-04-29 06:22:31 +00:00
orbisai0security	ea86d843de	fix: V-001 security vulnerability Automated security fix generated by Orbis Security AI	2026-04-29 05:56:01 +00:00