oobabooga/text-generation-webui
1
0
Fork 0
mirror of https://github.com/oobabooga/text-generation-webui.git synced 2026-04-06 15:13:38 +00:00
Code Issues Projects Releases Packages Wiki Activity

Security: restrict file writes to user_data_dir, block extra_flags from API

Browse source
This commit is contained in:
oobabooga 2026-03-06 16:57:57 -03:00
parent d03923924a
commit b8b4471ab5
2 changed files with 5 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

11
modules/utils.py
View file

@ -27,21 +27,14 @@ def sanitize_filename(name):
def _is_path_allowed(abs_path_str):
"""Check if a path is under the project root or the configured user_data directory."""
"""Check if a path is under the configured user_data directory."""
abs_path = Path(abs_path_str).resolve()
root_folder = Path(__file__).resolve().parent.parent
user_data_resolved = shared.user_data_dir.resolve()
try:
abs_path.relative_to(root_folder)
return True
except ValueError:
pass
try:
abs_path.relative_to(user_data_resolved)
return True
except ValueError:
pass
return False
return False
def save_file(fname, contents):