Improved directory sanitization when --hide_ui_dir_config

Fixes an issue where it's still possible to write to arbitrary directories through careful use of \.. or /.. in directory patterns

...and fix the regex to work better

reeeegex
This commit is contained in:
EyeDeck 2022-09-14 21:05:00 -04:00 committed by AUTOMATIC1111
parent 4a626f6ea6
commit dfb2e830d9
1 changed files with 4 additions and 1 deletions

View File

@ -13,7 +13,7 @@ import string
import modules.shared
from modules import sd_samplers, shared
from modules.shared import opts
from modules.shared import opts, cmd_opts
LANCZOS = (Image.Resampling.LANCZOS if hasattr(Image, 'Resampling') else Image.LANCZOS)
@ -277,6 +277,9 @@ def apply_filename_pattern(x, p, seed, prompt):
x = x.replace("[model_hash]", shared.sd_model_hash)
x = x.replace("[date]", datetime.date.today().isoformat())
if cmd_opts.hide_ui_dir_config:
x = re.sub(r'^[\\/]+|\.{2,}[\\/]+|[\\/]+\.{2,}', '', x)
return x
def get_next_sequence_number(path, basename):