aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEyeDeck <eyedeck@gmail.com>2022-09-15 01:05:00 +0000
committerAUTOMATIC1111 <16777216c@gmail.com>2022-09-15 04:39:57 +0000
commitdfb2e830d9f84fe5495c01ba0e70f5eaa2ce0bff (patch)
treed3934e09b2b9a5d3f5a486c57f7c6eaacd29c276
parent4a626f6ea625b63fb802a7cfcf5f5116d44f776f (diff)
downloadstable-diffusion-webui-gfx803-dfb2e830d9f84fe5495c01ba0e70f5eaa2ce0bff.tar.gz
stable-diffusion-webui-gfx803-dfb2e830d9f84fe5495c01ba0e70f5eaa2ce0bff.tar.bz2
stable-diffusion-webui-gfx803-dfb2e830d9f84fe5495c01ba0e70f5eaa2ce0bff.zip
Improved directory sanitization when --hide_ui_dir_config
Fixes an issue where it's still possible to write to arbitrary directories through careful use of \.. or /.. in directory patterns ...and fix the regex to work better reeeegex
Diffstat
-rw-r--r--modules/images.py5
1 files changed, 4 insertions, 1 deletions
diff --git a/modules/images.py b/modules/images.py
index 8c06ff24..1c01d6d8 100644
--- a/modules/images.py
+++ b/modules/images.py
@@ -13,7 +13,7 @@ import string
import modules.shared
from modules import sd_samplers, shared
-from modules.shared import opts
+from modules.shared import opts, cmd_opts
LANCZOS = (Image.Resampling.LANCZOS if hasattr(Image, 'Resampling') else Image.LANCZOS)
@@ -277,6 +277,9 @@ def apply_filename_pattern(x, p, seed, prompt):
x = x.replace("[model_hash]", shared.sd_model_hash)
x = x.replace("[date]", datetime.date.today().isoformat())
+ if cmd_opts.hide_ui_dir_config:
+ x = re.sub(r'^[\\/]+|\.{2,}[\\/]+|[\\/]+\.{2,}', '', x)
+
return x
def get_next_sequence_number(path, basename):
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 00:53:49 +0000