fix(userdata): catch invalid workflow filenames (Comfy-Org#9434) (Comfy-Org#9445)

saurabh-pingale · web-flow · commit 0737b7e0d245 · 2025-08-20T22:27:57.000-04:00
diff --git a/app/user_manager.py b/app/user_manager.py
@@ -363,10 +363,17 @@ async def post_userdata(request):
             if not overwrite and os.path.exists(path):
                 return web.Response(status=409, text="File already exists")
 
-            body = await request.read()
+            try:
+                body = await request.read()
 
-            with open(path, "wb") as f:
-                f.write(body)
+                with open(path, "wb") as f:
+                    f.write(body)
+            except OSError as e:
+                logging.warning(f"Error saving file '{path}': {e}")
+                return web.Response(
+                    status=400,
+                    reason="Invalid filename. Please avoid special characters like :\\/*?\"<>|"
+                )
 
             user_path = self.get_request_user_filepath(request, None)
             if full_info:
