mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-17 08:21:12 -05:00
[PR #24548] fix: gate OAuth profile picture MIME at ingestion + storage layer #115029
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24548
Author: @Classic298
Created: 5/10/2026
Status: 🔄 Open
Base:
dev← Head:fix/oauth-picture-mime-and-storage-validator📝 Commits (1)
5e7244afix: gate OAuth profile picture MIME at ingestion + storage layer📊 Changes
2 files changed (+36 additions, -9 deletions)
View changed files
📝
backend/open_webui/models/users.py(+13 -0)📝
backend/open_webui/utils/oauth.py(+23 -9)📄 Description
process_picture_url (utils/oauth.py): MIME was inferred from the URL extension via mimetypes.guess_type, the upstream Content-Type was discarded, and there was no allowlist. An SVG picture URL produced data:image/svg+xml;base64,... in the user's profile_image_url. Switch to the upstream Content-Type and gate it against PROFILE_IMAGE_ALLOWED_MIME_TYPES (the same env var the serving endpoint already uses); fall back to /user.png if the MIME isn't in the allowlist. Also pass allow_redirects=AIOHTTP_CLIENT ALLOW_REDIRECTS on the aiohttp session.get — the existing validate_url() only checks the initial URL, redirects to internal targets would otherwise still be followed (same class as the rh5x-h6pp-cjj6 cluster, sixth call site).
update_user_profile_image_url_by_id (models/users.py): SQLAlchemy write path bypassed the Pydantic form validators, so anything stored via OAuth or any other non-form caller landed in the column unchallenged. Run validate_profile_image_url at the storage layer before the assignment.
insert_new_user (models/users.py): same gap on the new-user path used by Auths.insert_new_auth (OAuth signup, LDAP). Same storage-layer call to validate_profile_image_url, falling back to /user.png if the supplied value doesn't pass.
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.