Security: server-side file save roots, image URL SSRF protection, extension allowlist

modules/ui_session.py

@@ -30,7 +30,7 @@ def create_ui():
         if not mu:
             shared.gradio['save_settings'].click(
                 ui.gather_interface_values, gradio(shared.input_elements), gradio('interface_state')).then(
-                handle_save_settings, gradio('interface_state', 'preset_menu', 'extensions_menu', 'show_controls', 'theme_state'), gradio('save_contents', 'save_filename', 'save_root', 'file_saver'), show_progress=False)
+                handle_save_settings, gradio('interface_state', 'preset_menu', 'extensions_menu', 'show_controls', 'theme_state'), gradio('save_contents', 'save_filename', 'save_root', 'save_root_state', 'file_saver'), show_progress=False)
 
         shared.gradio['toggle_dark_mode'].click(
             lambda x: 'dark' if x == 'light' else 'light', gradio('theme_state'), gradio('theme_state')).then(
@@ -51,10 +51,12 @@ def create_ui():
 
 def handle_save_settings(state, preset, extensions, show_controls, theme):
     contents = ui.save_settings(state, preset, extensions, show_controls, theme, manual_save=True)
+    root = str(shared.user_data_dir) + "/"
     return [
         contents,
         "settings.yaml",
-        str(shared.user_data_dir) + "/",
+        root,
+        root,
         gr.update(visible=True)
     ]