EasyAI代码托管平台

mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2026-03-18 07:35:05 +08:00

History

Varun Chawla dd9f4d1a32 security: refine path traversal validation to allow consecutive dots in filenames Fixes #12352 The previous validation incorrectly rejected filenames with consecutive dots (e.g., test..png) by checking if '..' exists anywhere in the filename. This commit refines the validation to: - Block actual path traversal patterns: '../', '/..' - Block filenames starting with '..' (e.g., '..secret') - Block absolute paths starting with '/' - Allow consecutive dots in filenames (e.g., 'test..png', 'my...file.jpg') Changes: - Updated validation logic in /view and /upload/mask endpoints - Added comprehensive test suite covering both security and functionality - All tests pass: blocks path traversal, allows valid filenames with dots	2026-02-19 23:50:28 -08:00
..
test_cache_control.py
test_view_endpoint.py	security: refine path traversal validation to allow consecutive dots in filenames	2026-02-19 23:50:28 -08:00

security: refine path traversal validation to allow consecutive dots in filenames

Fixes #12352

The previous validation incorrectly rejected filenames with consecutive dots
(e.g., test..png) by checking if '..' exists anywhere in the filename.

This commit refines the validation to:
- Block actual path traversal patterns: '../', '/..'
- Block filenames starting with '..' (e.g., '..secret')
- Block absolute paths starting with '/'
- Allow consecutive dots in filenames (e.g., 'test..png', 'my...file.jpg')

Changes:
- Updated validation logic in /view and /upload/mask endpoints
- Added comprehensive test suite covering both security and functionality
- All tests pass: blocks path traversal, allows valid filenames with dots

2026-02-19 23:50:28 -08:00

test_cache_control.py

test_view_endpoint.py

security: refine path traversal validation to allow consecutive dots in filenames

2026-02-19 23:50:28 -08:00