mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-15 21:19:39 -05:00
[PR #24809] fix: disable redirect following in OAuth picture fetch (SSRF) #115171
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24809
Author: @Classic298
Created: 5/16/2026
Status: 🔄 Open
Base:
dev← Head:fix/oauth-picture-url-redirect-ssrf📝 Commits (1)
6da480afix: disable redirect following in OAuth picture fetch (SSRF)📊 Changes
1 file changed (+7 additions, -1 deletions)
View changed files
📝
backend/open_webui/utils/oauth.py(+7 -1)📄 Description
_process_picture_url validated the initial picture URL with validate_url() but then aiohttp followed 3xx redirects without re-validating the target, so a validate_url-passing public URL could 302 to an internal address and the body was base64-stored in the user's profile_image_url. This is the sixth call site of the CVE-2026-45401 redirect-bypass cohort; the other five already pass allow_redirects=AIOHTTP_CLIENT_ALLOW_REDIRECTS. Apply the same.
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.