From c0385f60ba049da48d2d5452068586d375303c37 Mon Sep 17 00:00:00 2001 From: Timothy Jaeryang Baek Date: Tue, 17 Mar 2026 16:52:14 -0500 Subject: [PATCH] refac --- backend/open_webui/routers/ollama.py | 6 +++++- backend/open_webui/routers/openai.py | 6 +++++- backend/open_webui/utils/chat.py | 6 ++++-- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/backend/open_webui/routers/ollama.py b/backend/open_webui/routers/ollama.py index 14ff55b109..f72cbff5aa 100644 --- a/backend/open_webui/routers/ollama.py +++ b/backend/open_webui/routers/ollama.py @@ -1285,7 +1285,6 @@ async def generate_chat_completion( form_data: dict, url_idx: Optional[int] = None, user=Depends(get_verified_user), - bypass_filter: Optional[bool] = False, bypass_system_prompt: bool = False, ): if not request.app.state.config.ENABLE_OLLAMA_API: @@ -1295,6 +1294,11 @@ async def generate_chat_completion( # Database operations (get_model_by_id, AccessGrants.has_access) manage their own short-lived sessions. # This prevents holding a connection during the entire LLM call (30-60+ seconds), # which would exhaust the connection pool under concurrent load. + + # bypass_filter is read from request.state to prevent external clients from + # setting it via query parameter (CVE fix). Only internal server-side callers + # (e.g. utils/chat.py) should set request.state.bypass_filter = True. + bypass_filter = getattr(request.state, "bypass_filter", False) if BYPASS_MODEL_ACCESS_CONTROL: bypass_filter = True diff --git a/backend/open_webui/routers/openai.py b/backend/open_webui/routers/openai.py index 767aa791f1..6ad49a112b 100644 --- a/backend/open_webui/routers/openai.py +++ b/backend/open_webui/routers/openai.py @@ -938,13 +938,17 @@ async def generate_chat_completion( request: Request, form_data: dict, user=Depends(get_verified_user), - bypass_filter: Optional[bool] = False, bypass_system_prompt: bool = False, ): # NOTE: We intentionally do NOT use Depends(get_session) here. # Database operations (get_model_by_id, AccessGrants.has_access) manage their own short-lived sessions. # This prevents holding a connection during the entire LLM call (30-60+ seconds), # which would exhaust the connection pool under concurrent load. + + # bypass_filter is read from request.state to prevent external clients from + # setting it via query parameter (CVE fix). Only internal server-side callers + # (e.g. utils/chat.py) should set request.state.bypass_filter = True. + bypass_filter = getattr(request.state, "bypass_filter", False) if BYPASS_MODEL_ACCESS_CONTROL: bypass_filter = True diff --git a/backend/open_webui/utils/chat.py b/backend/open_webui/utils/chat.py index 5c83c66822..753ee56636 100644 --- a/backend/open_webui/utils/chat.py +++ b/backend/open_webui/utils/chat.py @@ -166,6 +166,10 @@ async def generate_chat_completion( if BYPASS_MODEL_ACCESS_CONTROL: bypass_filter = True + # Propagate bypass_filter via request.state so that downstream route + # handlers (openai/ollama) can read it without exposing it as a query param. + request.state.bypass_filter = bypass_filter + if hasattr(request.state, "metadata"): if "metadata" not in form_data: form_data["metadata"] = request.state.metadata @@ -269,7 +273,6 @@ async def generate_chat_completion( request=request, form_data=form_data, user=user, - bypass_filter=bypass_filter, bypass_system_prompt=bypass_system_prompt, ) if form_data.get("stream"): @@ -286,7 +289,6 @@ async def generate_chat_completion( request=request, form_data=form_data, user=user, - bypass_filter=bypass_filter, bypass_system_prompt=bypass_system_prompt, )