search

AUTOMATIC1111 / stable-diffusion-webui

Stable Diffusion web UI
GNU Affero General Public License v3.0
135.8k stars 25.92k forks source link

Update safe.py to handle extra pytorch 2.x metadata #14261

Open acherry opened 7 months ago

acherry commented 7 months ago

Is there an existing issue for this?

What would your feature do ?

It looks like pytorch is producing additional metadata files such as the "byteorder" endianness marker mentioned here and the serialization ID mentioned here. Those extra metadata files cause A1111's safety checks to raise an exception:

Traceback (most recent call last):
  File ".\A1111\webui\modules\safe.py", line 137, in load_with_extra
    check_pt(filename, extra_handler)
  File ".\A1111\webui\modules\safe.py", line 84, in check_pt
    check_zip_filenames(filename, z.namelist())
  File ".\A1111\webui\modules\safe.py", line 76, in check_zip_filenames
    raise Exception(f"bad file inside {filename}: {name}")
Exception: bad file inside .\A1111\webui\extensions\sd-webui-animatediff\model\animatediffMotion_sdxlV10Beta.ckpt: mm_sdxl_nightly,ckpt/byteorder

I was able to confirm this behavior with the the "sdxl v1.0 beta" AnimateDiff motion module on this Civitai page (uploaded 2023-11-09 - presumably created with recent pytorch) but there are probably simpler examples.

It would be nice if there were a way for users to use these files other than globally disabling safety checks with --disable-safe-unpickle.

Proposed workflow

Partial fix would be for the existing allow-list regex to include the byteorder file and serialization ID, but there's probably a better solution than just expanding the list for every new file.

Additional information

No response

acherry commented 7 months ago

Related to #10179 and probably #13814

Athari commented 3 months ago

This also makes DAT upscaler models from OpenModelDB.info impossible to use:

*** Error verifying pickled file from C:\Apps\StableDiffusionWeb\models\DAT\4x_NomosUniDAT_otf.pth
*** The file may be malicious, so the program is not going to read it.
*** You can skip this check with --disable-safe-unpickle commandline argument.
***
    Traceback (most recent call last):
      File "C:\Apps\StableDiffusionWeb\modules\safe.py", line 137, in load_with_extra
        check_pt(filename, extra_handler)
      File "C:\Apps\StableDiffusionWeb\modules\safe.py", line 84, in check_pt
        check_zip_filenames(filename, z.namelist())
      File "C:\Apps\StableDiffusionWeb\modules\safe.py", line 76, in check_zip_filenames
        raise Exception(f"bad file inside {filename}: {name}")
    Exception: bad file inside C:\Apps\StableDiffusionWeb\models\DAT\4x_NomosUniDAT_otf.pth: net_g_150000/byteorder
Athari commented 3 months ago

More names:

    Exception: bad file inside models\DAT\4x_NomosUniDAT2_multijpg_ldl.pth: net_g_171000/.data/serialization_id

I've no idea why it's even checked like this, but I'm currently at this regex:

allowed_zip_names_re = re.compile(r"^([^/]+)/((\.?data/(\d+|serialization_id))|version|byteorder|(data\.pkl))$")