wangbo/ComfyUI
1
0
Fork 0
mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2026-04-20 23:42:36 +08:00
Code Issues Actions 12 Packages Projects Releases Wiki Activity
64e1c0a0a6
ComfyUI/tests-unit/server_test
History
Varun Chawla 64e1c0a0a6
security: refine path traversal validation to allow consecutive dots in filenames 
Fixes #12352

The previous validation incorrectly rejected filenames with consecutive dots
(e.g., test..png) by checking if '..' exists anywhere in the filename.

This commit refines the validation to:
- Block actual path traversal patterns: '../', '/..'
- Block filenames starting with '..' (e.g., '..secret')
- Block absolute paths starting with '/'
- Allow consecutive dots in filenames (e.g., 'test..png', 'my...file.jpg')

Changes:
- Updated validation logic in /view and /upload/mask endpoints
- Added comprehensive test suite covering both security and functionality
- All tests pass: blocks path traversal, allows valid filenames with dots
2026-03-17 22:18:02 -07:00
..
test_cache_control.py fix: use no-store cache headers to prevent stale frontend chunks (#12911) 2026-03-14 18:25:09 -04:00
test_view_endpoint.py security: refine path traversal validation to allow consecutive dots in filenames 2026-03-17 22:18:02 -07:00