mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-11 10:34:13 -05:00
[PR #24524] [MERGED] fix: prevent redirect-based SSRF and enforce collecton write access #98744
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24524
Author: @Classic298
Created: 5/9/2026
Status: ✅ Merged
Merged: 5/10/2026
Merged by: @tjbck
Base:
dev← Head:fix/ssrf-redirect-image-base64-from-url📝 Commits (3)
2f11de8fix: prevent redirect-based SSRF in get_image_base64_from_url0efee1bfix: enforce collection write access on process_file endpoint2868f6bfix: enforce collection write access on process_files_batch endpoint📊 Changes
2 files changed (+18 additions, -3 deletions)
View changed files
📝
backend/open_webui/routers/retrieval.py(+5 -0)📝
backend/open_webui/utils/files.py(+13 -3)📄 Description
Cohort follow-up to PR #24491. That PR patched three call sites (SafeWebBaseLoader._scrape, get_content_from_url, load_url_image) to pass allow_redirects=False on the underlying HTTP client; this fourth call site in utils/files.py was missed.
get_image_base64_from_url() is invoked from convert_url_images_to_base64 in utils/middleware.py on every /api/chat/completions request whose message content includes an image_url part. validate_url() is called on the originally-submitted URL only; the aiohttp session.get() call had no allow_redirects argument and the shared session pool does not override the aiohttp default (allow_redirects=True). An authenticated user sending a chat message with image_url pointing at an attacker host that 302-redirects to 169.254.169.254 / 127.0.0.1 / RFC1918 reached the internal target. This is the most reachable variant in the redirect cluster: no special endpoint, no admin permission, no feature flag.
Apply the same one-line fix as the other three call sites: pass allow_redirects=AIOHTTP_CLIENT_ALLOW_REDIRECTS (defaults to False).
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.