8000 Update fix for potential XSS on /view (#8384) · psy-repos-python/ComfyUI@4f4f1c6 · GitHub
[go: up one dir, main page]
Skip to content

Commit 4f4f1c6

Browse files
jessegonyoujessegonyou
authored
Update fix for potential XSS on /view (comfyanonymous#8384)
* Update fix for potential XSS on /view This commit uses mimetypes to add more restricted filetypes to prevent from being served, since mimetypes are what browsers use to determine how to serve files. * Fix typo Fixed a typo that prevented the program from running
1 parent 010954d commit 4f4f1c6

File tree

1 file changed

+2
-3
lines changed

1 file changed

+2
-3
lines changed

server.py

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -476,9 +476,8 @@ async def view_image(request):
476476
# Get content type from mimetype, defaulting to 'application/octet-stream'
477477
content_type = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
478478

479-
# For security, force certain extensions to download instead of display
480-
file_extension = os.path.splitext(filename)[1].lower()
481-
if file_extension 54CB in {'.html', '.htm', '.js', '.css'}:
479+
# For security, force certain mimetypes to download instead of display
480+
if content_type in {'text/html', 'text/html-sandboxed', 'application/xhtml+xml', 'text/javascript', 'text/css'}:
482481
content_type = 'application/octet-stream' # Forces download
483482

484483
return web.FileResponse(

0 commit comments

Comments
 (0)
0