From 665f95eda396e857784bdadf5381c29f982db501 Mon Sep 17 00:00:00 2001
From: Timothy Jaeryang Baek <tim@openwebui.com>
Date: Wed, 28 Jan 2026 01:18:39 +0400
Subject: [PATCH] refac

---
 backend/open_webui/utils/files.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/backend/open_webui/utils/files.py b/backend/open_webui/utils/files.py
index a37ecf31c6..af8818d59b 100644
--- a/backend/open_webui/utils/files.py
+++ b/backend/open_webui/utils/files.py
@@ -18,6 +18,7 @@ from open_webui.storage.provider import Storage
 from open_webui.models.chats import Chats
 from open_webui.models.files import Files
 from open_webui.routers.files import upload_file_handler
+from open_webui.retrieval.web.utils import validate_url
 
 import mimetypes
 import base64
@@ -33,6 +34,8 @@ MARKDOWN_IMAGE_URL_PATTERN = re.compile(r"!\[(.*?)\]\((.+?)\)", re.IGNORECASE)
 def get_image_base64_from_url(url: str) -> Optional[str]:
     try:
         if url.startswith("http"):
+            # Validate URL to prevent SSRF attacks against local/private networks
+            validate_url(url)
             # Download the image from the URL
             response = requests.get(url)
             response.raise_for_status()