mirror of
https://github.com/comfyanonymous/ComfyUI.git
synced 2026-07-03 21:20:49 +08:00
- CVE-2026-56670: force download of SVG/XML responses on /view to prevent stored XSS
- CVE-2026-56671: contain /experiment/models/preview reads within the model folder
- CVE-2026-56672: stop inline rendering of uploaded /userdata/{file} content
- CVE-2026-56673: prevent path traversal in get_annotated_filepath (LoadImage /prompt input)
- CVE-2026-56674: reject opaque/null Origin to close the CSRF middleware bypass
Adds regression tests under tests-unit/security_test/ covering all five.
|
||
|---|---|---|
| .. | ||
| queries | ||
| services | ||
| conftest.py | ||
| helpers.py | ||
| test_assets_missing_sync.py | ||
| test_crud.py | ||
| test_downloads.py | ||
| test_file_utils.py | ||
| test_list_cursor.py | ||
| test_list_filter.py | ||
| test_metadata_filters.py | ||
| test_prompt_id_enforcement.py | ||
| test_prune_orphaned_assets.py | ||
| test_sync_references.py | ||
| test_tags_api.py | ||
| test_uploads.py | ||