From cc6683a688a22d2582f14d7008a4d3e67218f3c9 Mon Sep 17 00:00:00 2001
From: Ju1-js <40339350+Ju1-js@users.noreply.github.com>
Date: Tue, 13 Dec 2022 19:24:18 -0800
Subject: [PATCH] Path traversal exploit fix - #60

Also a comment typo fix.
---
 scripts/images_history.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/scripts/images_history.py b/scripts/images_history.py
index cafe549..3057132 100644
--- a/scripts/images_history.py
+++ b/scripts/images_history.py
@@ -110,6 +110,12 @@ def get_all_images(dir_name, sort_by, keyword):
     return filenames
 
 def get_image_page(img_path, page_index, filenames, keyword, sort_by):
+    if not cmd_opts.administrator:
+        head = os.path.realpath(".")
+        real_path = os.path.realpath(img_path)
+        if len(real_path) < len(head) or real_path[:len(head)] != head:
+            warning = f"You have not permission to visit {img_path}. If you want visit all directories, add command line argument option '--administrator', <a style='color:#990' href='https://github.com/AUTOMATIC1111/stable-diffusion-webui/wiki/Command-Line-Arguments-and-Settings'>More detail here</a>"
+            return None, 0, None, "", "", "", None, None, warning
     if page_index == 1 or page_index == 0 or len(filenames) == 0:
         filenames = get_all_images(img_path, sort_by, keyword)
     page_index = int(page_index)
@@ -240,7 +246,7 @@ def create_tab(tabname):
                     with gr.Row():
                         collected_warning = gr.HTML()                       
                             
-                    # hiden items
+                    # hidden items
                     with gr.Row(visible=False): 
                         renew_page = gr.Button("Renew Page", elem_id=tabname + "_images_history_renew_page")
                         visible_img_num = gr.Number()