diff --git a/backend/open_webui/retrieval/utils.py b/backend/open_webui/retrieval/utils.py index f805fb4090..0421787819 100644 --- a/backend/open_webui/retrieval/utils.py +++ b/backend/open_webui/retrieval/utils.py @@ -191,7 +191,8 @@ def _is_text_content_type(content_type: str) -> bool: async def get_content_from_url(request, url: str) -> str: - from open_webui.retrieval.web.utils import validate_url + from open_webui.retrieval.web.utils import validate_url, _SSRFSafeAdapter + loader_config = await get_loader_config() @@ -216,7 +217,11 @@ async def get_content_from_url(request, url: str) -> str: # re-validation would let an attacker reach private IPs (RFC1918, loopback, # cloud-metadata 169.254.169.254) via a public host that redirects internally. try: - response = requests.get(url, stream=True, timeout=30, allow_redirects=AIOHTTP_CLIENT_ALLOW_REDIRECTS) + # Probe through the connect-time SSRF guard; bare requests.get re-resolves (DNS-rebinding gap). + session = requests.Session() + session.mount('http://', _SSRFSafeAdapter()) + session.mount('https://', _SSRFSafeAdapter()) + response = session.get(url, stream=True, timeout=30, allow_redirects=AIOHTTP_CLIENT_ALLOW_REDIRECTS) response.raise_for_status() content_type = response.headers.get('Content-Type', '') except Exception: