fix web server handling of rel and abs outdir paths (#550)

* fix web server handling of rel and abs outdir paths * Can now specify either a relative or absolute path for outdir * Outdir path does not need to be inside the stable-diffusion directory * Closes security hole that allowed user to read any file within stable-diffusion (eek!) * Closes #536
2026-02-03 20:55:02 -05:00 · 2022-09-14 07:09:01 -04:00
parent e6179af46a
commit 5818528aa6
3 changed files with 47 additions and 26 deletions
--- a/ldm/dream/server.py
+++ b/ldm/dream/server.py
@@ -103,10 +103,14 @@ class DreamServer(BaseHTTPRequestHandler):
            self.end_headers()
            self.wfile.write(bytes('{}', 'utf8'))
        else:
-            path = "." + self.path
-            cwd = os.path.realpath(os.getcwd())
-            is_in_cwd = os.path.commonprefix((os.path.realpath(path), cwd)) == cwd
-            if not (is_in_cwd and os.path.exists(path)):
+            path_dir = os.path.dirname(self.path)
+            out_dir  = os.path.realpath(self.outdir.rstrip('/'))
+            if self.path.startswith('/static/dream_web/'):
+                path = '.' + self.path
+            elif out_dir.endswith(path_dir):
+                file = os.path.basename(self.path)
+                path = os.path.join(self.outdir,file)
+            else:
                self.send_response(404)
                return
            mime_type = mimetypes.guess_type(path)[0]
@@ -114,7 +118,7 @@ class DreamServer(BaseHTTPRequestHandler):
                self.send_response(200)
                self.send_header("Content-type", mime_type)
                self.end_headers()
-                with open("." + self.path, "rb") as content:
+                with open(path, "rb") as content:
                    self.wfile.write(content.read())
            else:
                self.send_response(404)