mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-10 20:40:18 +02:00
ws_terminal() interpolated the path parameter session_id directly into the upstream terminal WebSocket URL and then appended ?user_id=<caller>, with no encoding or validation (the HTTP sibling proxy_terminal runs _sanitize_proxy_path; this path ran nothing). An encoded '?'/'&' smuggled through session_id survives Open WebUI's single decode and is re-decoded by the upstream, injecting an attacker-chosen user_id ahead of the appended one. Query parsing binds the first occurrence, so the orchestrator resolves the spoofed user's terminal scope, letting a normal authenticated user present another user's identity to the upstream (CWE-116/863). Encode session_id as an opaque path segment with urllib.parse.quote(session_id, safe=''). This neutralises '?'/'#'/'&' at any decode depth (the upstream's single decode reverses only the quote, leaving the original delimiters inert as path content), while legitimate UUID session ids pass through unchanged. The appended user_id is then the only query parameter the upstream binds. The separate concern that the forwarded identity is a bearer claim with no integrity binding spans Open WebUI and the upstream terminal server and is not addressed here. Co-authored-by: rexpository <30176934+rexpository@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>