diff options
| author | KyuSeok Jung <wjdrbtjr495@gmail.com> | 2022-11-05 18:08:45 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-05 18:08:45 +0000 |
| commit | 9b7289c3493ba1f42aa5e7657d385124fec1f112 (patch) | |
| tree | 37d86b581d265e06df7112e7a87f514de4702bc6 /webui.py | |
| parent | 45b65e87e0ef64b3e457f7d20c62d591cdcd0e7b (diff) | |
| parent | b08698a09a257365238e43cc9023ce7cf9af73c4 (diff) | |
| download | stable-diffusion-webui-gfx803-9b7289c3493ba1f42aa5e7657d385124fec1f112.tar.gz stable-diffusion-webui-gfx803-9b7289c3493ba1f42aa5e7657d385124fec1f112.tar.bz2 stable-diffusion-webui-gfx803-9b7289c3493ba1f42aa5e7657d385124fec1f112.zip | |
Merge branch 'master' into master
Diffstat (limited to 'webui.py')
| -rw-r--r-- | webui.py | 40 |
1 files changed, 38 insertions, 2 deletions
@@ -5,6 +5,7 @@ import importlib import signal
import threading
from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
from fastapi.middleware.gzip import GZipMiddleware
from modules.paths import script_path
@@ -21,6 +22,7 @@ import modules.paths import modules.scripts
import modules.sd_hijack
import modules.sd_models
+import modules.sd_vae
import modules.shared as shared
import modules.txt2img
import modules.script_callbacks
@@ -33,7 +35,7 @@ from modules.shared import cmd_opts import modules.hypernetworks.hypernetwork
queue_lock = threading.Lock()
-
+server_name = "0.0.0.0" if cmd_opts.listen else cmd_opts.server_name
def wrap_queued_call(func):
def f(*args, **kwargs):
@@ -77,11 +79,27 @@ def initialize(): modules.scripts.load_scripts()
+ modules.sd_vae.refresh_vae_list()
modules.sd_models.load_model()
shared.opts.onchange("sd_model_checkpoint", wrap_queued_call(lambda: modules.sd_models.reload_model_weights()))
+ shared.opts.onchange("sd_vae", wrap_queued_call(lambda: modules.sd_vae.reload_vae_weights()), call=False)
shared.opts.onchange("sd_hypernetwork", wrap_queued_call(lambda: modules.hypernetworks.hypernetwork.load_hypernetwork(shared.opts.sd_hypernetwork)))
shared.opts.onchange("sd_hypernetwork_strength", modules.hypernetworks.hypernetwork.apply_strength)
+ if cmd_opts.tls_keyfile is not None and cmd_opts.tls_keyfile is not None:
+
+ try:
+ if not os.path.exists(cmd_opts.tls_keyfile):
+ print("Invalid path to TLS keyfile given")
+ if not os.path.exists(cmd_opts.tls_certfile):
+ print(f"Invalid path to TLS certfile: '{cmd_opts.tls_certfile}'")
+ except TypeError:
+ cmd_opts.tls_keyfile = cmd_opts.tls_certfile = None
+ print("TLS setup invalid, running webui without TLS")
+ else:
+ print("Running with TLS")
+
+
# make the program just exit at ctrl+c without waiting for anything
def sigint_handler(sig, frame):
print(f'Interrupted with signal {sig} in {frame}')
@@ -90,6 +108,11 @@ def initialize(): signal.signal(signal.SIGINT, sigint_handler)
+def setup_cors(app):
+ if cmd_opts.cors_allow_origins:
+ app.add_middleware(CORSMiddleware, allow_origins=cmd_opts.cors_allow_origins.split(','), allow_methods=['*'])
+
+
def create_api(app):
from modules.api.api import Api
api = Api(app, queue_lock)
@@ -111,9 +134,12 @@ def api_only(): initialize()
app = FastAPI()
+ setup_cors(app)
app.add_middleware(GZipMiddleware, minimum_size=1000)
api = create_api(app)
+ modules.script_callbacks.app_started_callback(None, app)
+
api.launch(server_name="0.0.0.0" if cmd_opts.listen else "127.0.0.1", port=cmd_opts.port if cmd_opts.port else 7861)
@@ -126,8 +152,10 @@ def webui(): app, local_url, share_url = demo.launch(
share=cmd_opts.share,
- server_name="0.0.0.0" if cmd_opts.listen else None,
+ server_name=server_name,
server_port=cmd_opts.port,
+ ssl_keyfile=cmd_opts.tls_keyfile,
+ ssl_certfile=cmd_opts.tls_certfile,
debug=cmd_opts.gradio_debug,
auth=[tuple(cred.split(':')) for cred in cmd_opts.gradio_auth.strip('"').split(',')] if cmd_opts.gradio_auth else None,
inbrowser=cmd_opts.autolaunch,
@@ -136,6 +164,14 @@ def webui(): # after initial launch, disable --autolaunch for subsequent restarts
cmd_opts.autolaunch = False
+ # gradio uses a very open CORS policy via app.user_middleware, which makes it possible for
+ # an attacker to trick the user into opening a malicious HTML page, which makes a request to the
+ # running web ui and do whatever the attcker wants, including installing an extension and
+ # runnnig its code. We disable this here. Suggested by RyotaK.
+ app.user_middleware = [x for x in app.user_middleware if x.cls.__name__ != 'CORSMiddleware']
+
+ setup_cors(app)
+
app.add_middleware(GZipMiddleware, minimum_size=1000)
if launch_api:
|