[PR #24671] [CLOSED] fix(images): add null-check in upload_image to prevent crash on SSRF block #131435

New Issue

GiteaMirror · 2026-05-21T16:57:04-05:00

GiteaMirror commented

2026-05-21 16:57:04 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/24671
Author: @mturac
Created: 5/13/2026
Status: ❌ Closed

Base: main ← Head: fix/comfyui-image-upload-crash

📝 Commits (1)

b60ea13 fix(images): add null-check in upload_image to prevent crash on SSRF block

📊 Changes

1 file changed (+10 additions, -0 deletions)

View changed files

📝 backend/open_webui/routers/images.py (+10 -0)

📄 Description

Summary

When get_image_data returns (None, None) due to an SSRF block (e.g., ComfyUI on private IP like 192.168.x.x), upload_image crashes with 'NoneType' object has no attribute 'lower' in mimetypes.guess_extension.

This is a regression from PR #24518 which added validate_url() to prevent SSRF attacks. While the security fix is important, it broke ComfyUI deployments on private networks.

Fix

Add a null-check at the start of upload_image that raises a descriptive HTTPException pointing users to the ENABLE_RAG_LOCAL_WEB_FETCH workaround.

Changes

backend/open_webui/routers/images.py: Added null-check in upload_image() function

Testing

Verified that upload_image now raises a 400 error with a helpful message instead of crashing
The error message guides users to set ENABLE_RAG_LOCAL_WEB_FETCH=true

Regression from [PR #17685] [CLOSED] Sync fork (#24518)
Workaround: Set ENABLE_RAG_LOCAL_WEB_FETCH=true

Fixes #24565

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/24671 **Author:** [@mturac](https://github.com/mturac) **Created:** 5/13/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/comfyui-image-upload-crash` --- ### 📝 Commits (1) - [`b60ea13`](https://github.com/open-webui/open-webui/commit/b60ea137040e3ed4ad997e86bb59be22d788785f) fix(images): add null-check in upload_image to prevent crash on SSRF block ### 📊 Changes **1 file changed** (+10 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/images.py` (+10 -0) </details> ### 📄 Description ## Summary When `get_image_data` returns `(None, None)` due to an SSRF block (e.g., ComfyUI on private IP like `192.168.x.x`), `upload_image` crashes with `'NoneType' object has no attribute 'lower'` in `mimetypes.guess_extension`. This is a regression from PR #24518 which added `validate_url()` to prevent SSRF attacks. While the security fix is important, it broke ComfyUI deployments on private networks. ## Fix Add a null-check at the start of `upload_image` that raises a descriptive `HTTPException` pointing users to the `ENABLE_RAG_LOCAL_WEB_FETCH` workaround. ## Changes - `backend/open_webui/routers/images.py`: Added null-check in `upload_image()` function ## Testing - Verified that `upload_image` now raises a 400 error with a helpful message instead of crashing - The error message guides users to set `ENABLE_RAG_LOCAL_WEB_FETCH=true` ## Related - Regression from #24518 - Workaround: Set `ENABLE_RAG_LOCAL_WEB_FETCH=true` Fixes #24565 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-05-21 16:57:04 -05:00

GiteaMirror closed this issue

2026-05-21 16:57:14 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#131435