Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue: Stable Diffusion open on "public url" by default #1141

Closed
almostobvious opened this issue Feb 4, 2025 · 1 comment
Closed

Security issue: Stable Diffusion open on "public url" by default #1141

almostobvious opened this issue Feb 4, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@almostobvious
Copy link

What happened?

Default installation of Stable Diffusion runs with --shared, opening unsuspecting users to abuse of all kinds, primarily abuse of their computing resources and perhaps denial of service.

Also, there doesn't seem to be an option in Stability Matrix to override this behaviour.

Steps to reproduce

  1. Install Stability Matrix
  2. Install Stable Diffusion
  3. Run Stable Difussion
  4. Observe that Stable Diffusion is running with --shared option and will have something like "Running on public URL: https://af1635fac3102a1952.gradio.live"

Relevant logs

Python 3.10.11 (tags/v3.10.11:7d4cc5a, Apr  5 2023, 00:38:17) [MSC v.1929 64 bit (AMD64)]
Version: v1.10.0
Commit hash: c19d04436496ab29ddca4758a792831ae41b31de
Launching Web UI with arguments: --server-name 10.10.0.16 --share --xformers --api --skip-python-version-check --gradio-allowed-path 'C:\StabilityMatrix\Images'
C:\StabilityMatrix\Packages\stable-diffusion-webui\venv\lib\site-packages\timm\models\layers\__init__.py:48: FutureWarning: Importing from timm.models.layers is deprecated, please import via timm.layers
  warnings.warn(f"Importing from {__name__} is deprecated, please import via timm.layers", FutureWarning)
Loading weights [6ce0161689] from C:\StabilityMatrix\Packages\stable-diffusion-webui\models\Stable-diffusion\v1-5-pruned-emaonly.safetensors
Creating model from config: C:\StabilityMatrix\Packages\stable-diffusion-webui\configs\v1-inference.yaml
Running on local URL:  http://10.10.0.16 :7860
C:\StabilityMatrix\Packages\stable-diffusion-webui\venv\lib\site-packages\huggingface_hub\file_download.py:797: FutureWarning: `resume_download` is deprecated and will be removed in version 1.0.0. Downloads always resume when possible. If you want to force a new download, use `force_download=True`.
  warnings.warn(
Running on public URL: https://af1635fac3102a1952.gradio.live

This share link expires in 72 hours. For free permanent hosting and GPU upgrades, run `gradio deploy` from Terminal to deploy to Spaces (https://huggingface.co/spaces)

Version

2.12.3

What Operating System are you using?

Windows
@almostobvious almostobvious added the bug Something isn't working label Feb 4, 2025
@mohnjiles
Copy link
Contributor

Hi, we do not enable --share by default for any of the web UIs. There is also an IP address in the server name options in your logs - we do not have your IP address or a way to set that automatically. A fresh install on the latest version will only have these arguments by default:

--xformers --api --skip-python-version-check --gradio-allowed-path 'C:\SMData\Data\Data\Images'

You can access those launch options via the ⚙️ menu on the Packages page to turn off the --server-name and --share options.

Image

Image

@mohnjiles mohnjiles closed this as not planned Won't fix, can't repro, duplicate, stale Feb 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mohnjiles @almostobvious