mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 23:21:44 -05:00
[PR #11636] [MERGED] fix: audio api endpoint filetype check #126426
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/11636
Author: @OliveiraHermogenes
Created: 3/13/2025
Status: ✅ Merged
Merged: 3/14/2025
Merged by: @tjbck
Base:
dev← Head:fix-api-audio-mimetype-check📝 Commits (1)
e936d7bfix: audio api endpoint filetype check📊 Changes
1 file changed (+3 additions, -1 deletions)
View changed files
📝
backend/open_webui/routers/audio.py(+3 -1)📄 Description
Pull Request Checklist
Note to first-time contributors: Please open a discussion post in Discussions and describe your changes before submitting a pull request.
Fixes #11426
Before submitting, make sure you've checked the following:
devbranch.Not applicable.
Not applicable.
Preexisting tests against
/api/audioendpoints, if any, still apply.Changelog Entry
Description
See #11426 for more context. A more technical rationale for the changes follow.
RFC2046 allows the Content-Type field to have additional parameters after the main type/subtype information (Section 1).
Following RFC4281, many applications put codec information inside parameters in the Content-Type. This is especially common for formats that support many codecs, such as Ogg (RFC5334, Section 4).
The
/api/audio/transcriptionsendpoint is currently rejecting files that contain parameters in the Content-Type field with a bad request error.This commit changes the current check in order to accept any Content-Type field that begins with a supported type/subtype as listed in the
supported_filetypestuple.Since Content-Type here is provided by the user, I believe this check is meant to prevent honest mistakes, like posting a PDF to an audio processing endpoint, not as a security measure against possibly malicious use. Therefore, I think it's OK not to validate the rest of the field.
Fixed
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.