wangbo/ComfyUI
1
0
Fork 0
mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2026-06-17 21:39:45 +08:00
Code Issues Actions 14 Packages Projects Releases Wiki Activity
15d49a61b8
ComfyUI/api_server
History
adv0r 15d49a61b8 Address review feedback on /internal/models/download 
- Disable aiohttp auto-redirects and re-validate every Location target
  against the same allowlist used for the initial URL, closing an SSRF
  vector where an allowed host could redirect to an arbitrary internal
  endpoint.
- Accept subdomains of allowlisted hosts so Hugging Face's LFS CDN
  (cdn-lfs.huggingface.co et al.) keeps working under the stricter
  redirect handling.
- Pass an explicit ClientTimeout (connect/sock_read) so hung remotes
  surface as errors instead of blocking the request handler forever.
- Log the exception value alongside the traceback on the 500 fallback.
- Add positive coverage for normalize_model_relative_path, Civitai URL
  allowlisting, and the redirect-following / SSRF-rejection branches of
  open_model_download_response.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-19 11:26:53 +02:00
..
routes Address review feedback on /internal/models/download 2026-05-19 11:26:53 +02:00
services Remove unused GET /files API endpoint (#6714) 2025-02-05 18:48:36 -05:00
utils Fix and enforce new lines at the end of files. 2024-12-30 04:14:59 -05:00
__init__.py Add GET /internal/files. (#4295) 2024-08-21 01:25:06 -04:00