oobabooga/text-generation-webui
1
0
Fork 0
mirror of https://github.com/oobabooga/text-generation-webui.git synced 2026-04-06 23:23:43 +00:00
Code Issues Projects Releases Packages Wiki Activity

Security: prevent path traversal in character/user/file save and delete

Browse source
This commit is contained in:
oobabooga 2026-03-06 01:59:18 -03:00
parent 521ddbb722
commit eba262d47a
3 changed files with 22 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

11
modules/utils.py
View file

@ -15,6 +15,17 @@ def gradio(*keys):
return [shared.gradio[k] for k in keys]
def sanitize_filename(name):
"""Strip path traversal components from a filename.
Returns only the final path component with leading dots removed,
preventing directory traversal via '../' or absolute paths.
"""
name = Path(name).name # drop all directory components
name = name.lstrip('.') # remove leading dots
return name
def _is_path_allowed(abs_path_str):
"""Check if a path is under the project root or the configured user_data directory."""
abs_path = Path(abs_path_str).resolve()