oobabooga/text-generation-webui
1
0
Fork 0
mirror of https://github.com/oobabooga/text-generation-webui.git synced 2026-04-06 15:13:38 +00:00
Code Issues Projects Releases Packages Wiki Activity

Security: server-side file save roots, image URL SSRF protection, extension allowlist

Browse source
This commit is contained in:
oobabooga 2026-03-17 22:24:36 -07:00
parent 08ff3f0f90
commit c8bb2129ba
6 changed files with 60 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/utils.py
View file

@ -47,6 +47,10 @@ def save_file(fname, contents):
logger.error(f'Invalid file path: \"{fname}\"')
return
if Path(abs_path_str).suffix.lower() not in ('.yaml', '.yml', '.json', '.txt', '.gbnf'):
logger.error(f'Refusing to save file with disallowed extension: \"{fname}\"')
return
with open(abs_path_str, 'w', encoding='utf-8') as f:
f.write(contents)