mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-19 04:10:26 -05:00
The connection-layer DNS-rebinding guard (_SSRFSafeResolver / _SSRFSafeAdapter, PR #24759) was mounted only on SafeWebBaseLoader. Two user-reachable image fetches validate the URL then fetch it through the shared get_session() pool with the default resolver, so a TTL-0 rebinding answer that passed validate_url reaches an internal address at connect: - get_image_base64_from_url (utils/files.py): user image_url on every chat completion. - load_url_image (routers/images.py, POST /api/v1/images/edit): user-supplied image field. Add get_ssrf_safe_session() (a one-off aiohttp session mounting _SSRFSafeResolver) and use it for both fetches, so the connect-time IP is re-validated and a rebound loopback / RFC1918 / metadata address is rejected. The shared pool is left untouched for the admin-configured image-generation callers, which legitimately reach internal hosts. Co-authored-by: dhyabi2 <32069256+dhyabi2@users.noreply.github.com> Co-authored-by: geo-chen <2404584+geo-chen@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>