Merge branch 'master' into embed-embeddings-in-images

author: DepFA <35278260+dfaker@users.noreply.github.com> 2022-10-11 15:15:09 +0100
committer: GitHub <noreply@github.com> 2022-10-11 15:15:09 +0100
commit: 1eaad955330bbe2d55f6b528c902758739413dc8 (patch)
tree: fba92d854e283d3a413b1b36682bb23171a086d7 /modules/safe.py
parent: 7aa8fcac1e45c3ad9c6a40df0e44a346afcd5032 (diff)
parent: e0ee5bf703996b33e6d97aa36e0973ceedc88503 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/modules/safe.py b/modules/safe.py
index 05917463..20be16a5 100644
--- a/modules/safe.py
+++ b/modules/safe.py
@@ -10,6 +10,7 @@ import torch
 import numpy
 import _codecs
 import zipfile
+import re
 
 
 # PyTorch 1.13 and later have _TypedStorage renamed to TypedStorage
@@ -54,11 +55,27 @@ class RestrictedUnpickler(pickle.Unpickler):
         raise pickle.UnpicklingError(f"global '{module}/{name}' is forbidden")
 
 
+allowed_zip_names = ["archive/data.pkl", "archive/version"]
+allowed_zip_names_re = re.compile(r"^archive/data/\d+$")
+
+
+def check_zip_filenames(filename, names):
+    for name in names:
+        if name in allowed_zip_names:
+            continue
+        if allowed_zip_names_re.match(name):
+            continue
+
+        raise Exception(f"bad file inside {filename}: {name}")
+
+
 def check_pt(filename):
     try:
 
         # new pytorch format is a zip file
         with zipfile.ZipFile(filename) as z:
+            check_zip_filenames(filename, z.namelist())
+
             with z.open('archive/data.pkl') as file:
                 unpickler = RestrictedUnpickler(file)
                 unpickler.load()
author	DepFA <35278260+dfaker@users.noreply.github.com>	2022-10-11 15:15:09 +0100
committer	GitHub <noreply@github.com>	2022-10-11 15:15:09 +0100
commit	1eaad955330bbe2d55f6b528c902758739413dc8 (patch)
tree	fba92d854e283d3a413b1b36682bb23171a086d7 /modules/safe.py
parent	7aa8fcac1e45c3ad9c6a40df0e44a346afcd5032 (diff)
parent	e0ee5bf703996b33e6d97aa36e0973ceedc88503 (diff)