[PR #24625] fix: gate get_image_base64_from_url file_id lookup by caller ownership #115056

Open
opened 2026-05-18 15:59:37 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/24625
Author: @Classic298
Created: 5/12/2026
Status: 🔄 Open

Base: devHead: fix/image-url-file-id-ownership


📝 Commits (1)

  • 5007e91 fix: gate get_image_base64_from_url file_id lookup by caller ownership

📊 Changes

2 files changed (+20 additions, -4 deletions)

View changed files

📝 backend/open_webui/utils/files.py (+17 -1)
📝 backend/open_webui/utils/middleware.py (+3 -3)

📄 Description

convert_url_images_to_base64() in utils/middleware.py was calling get_image_base64_from_url(url) without passing the authenticated user. When the url didn't start with http(s):// or data:image/, the helper treated it as a file_id and resolved it via Files.get_file_by_id(url) with no ownership filter — read the file from disk, base64-encoded it, and inlined it into the LLM request as an image_url attachment.

An authenticated user could put another user's file_id (UUIDs leak through shared chats, KB membership, chat exports, etc.) into an image_url.url field on /api/chat/completions and ask the model to describe / OCR the file. The server's read of the victim file went through unchecked; the LLM response carried the file content back to the caller.

Thread user through convert_url_images_to_base64() and through get_image_base64_from_url(). Gate the file-by-id branch by the same pattern used at the other file-access call sites: owner, admin under the documented bypass posture, or explicit has_access_to_file('read') grant (covering shared KBs / channels / shared chats). Callers that don't have a user in scope get None back — same as the existing "file not found" code path.

Contributor License Agreement

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/24625 **Author:** [@Classic298](https://github.com/Classic298) **Created:** 5/12/2026 **Status:** 🔄 Open **Base:** `dev` ← **Head:** `fix/image-url-file-id-ownership` --- ### 📝 Commits (1) - [`5007e91`](https://github.com/open-webui/open-webui/commit/5007e914b4825675f858c19c0a69f168be58edb4) fix: gate get_image_base64_from_url file_id lookup by caller ownership ### 📊 Changes **2 files changed** (+20 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/utils/files.py` (+17 -1) 📝 `backend/open_webui/utils/middleware.py` (+3 -3) </details> ### 📄 Description convert_url_images_to_base64() in utils/middleware.py was calling get_image_base64_from_url(url) without passing the authenticated user. When the url didn't start with http(s):// or data:image/, the helper treated it as a file_id and resolved it via Files.get_file_by_id(url) with no ownership filter — read the file from disk, base64-encoded it, and inlined it into the LLM request as an image_url attachment. An authenticated user could put another user's file_id (UUIDs leak through shared chats, KB membership, chat exports, etc.) into an image_url.url field on /api/chat/completions and ask the model to describe / OCR the file. The server's read of the victim file went through unchecked; the LLM response carried the file content back to the caller. Thread `user` through convert_url_images_to_base64() and through get_image_base64_from_url(). Gate the file-by-id branch by the same pattern used at the other file-access call sites: owner, admin under the documented bypass posture, or explicit has_access_to_file('read') grant (covering shared KBs / channels / shared chats). Callers that don't have a user in scope get None back — same as the existing "file not found" code path. ### Contributor License Agreement <!-- 🚨 DO NOT DELETE THE TEXT BELOW 🚨 Keep the "Contributor License Agreement" confirmation text intact. Deleting it will trigger the CLA-Bot to INVALIDATE your PR. Your PR will NOT be reviewed or merged until you check the box below confirming that you have read and agree to the terms of the CLA. --> - [x] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-18 15:59:37 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#115056