Merge pull request #3090 from open-webui/dev

0.3.4
2025-05-17 12:03:41 +00:00 · 2024-06-12 11:13:41 -07:00 · 2024-06-12 11:13:41 -07:00 · c2e8af5ed1
commit c2e8af5ed1
parent 0917fa6f4a 70a85d6111
7 changed files with 37 additions and 11 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [0.3.4] - 2024-06-12
+
+### Fixed
+
+- **🔒 Mixed Content with HTTPS Issue**: Resolved a problem where mixed content (HTTP and HTTPS) was causing security warnings and blocking resources on HTTPS sites.
+- **🔍 Web Search Issue**: Addressed the problem where web search functionality was not working correctly. The `ENABLE_RAG_LOCAL_WEB_FETCH` option has been reintroduced to restore proper web searching capabilities.
+- **💾 RAG Template Not Being Saved**: Fixed an issue where the RAG template was not being saved correctly, ensuring your custom templates are now preserved as expected.
+
 ## [0.3.3] - 2024-06-12

 ### Added
--- a/backend/apps/rag/main.py
+++ b/backend/apps/rag/main.py
@ -717,13 +717,18 @@ def validate_url(url: Union[str, Sequence[str]]):
        if isinstance(validators.url(url), validators.ValidationError):
            raise ValueError(ERROR_MESSAGES.INVALID_URL)
        if not ENABLE_RAG_LOCAL_WEB_FETCH:
-            # Check if the URL exists by making a HEAD request
-            try:
-                response = requests.head(url, allow_redirects=True)
-                if response.status_code != 200:
+            # Local web fetch is disabled, filter out any URLs that resolve to private IP addresses
+            parsed_url = urllib.parse.urlparse(url)
+            # Get IPv4 and IPv6 addresses
+            ipv4_addresses, ipv6_addresses = resolve_hostname(parsed_url.hostname)
+            # Check if any of the resolved addresses are private
+            # This is technically still vulnerable to DNS rebinding attacks, as we don't control WebBaseLoader
+            for ip in ipv4_addresses:
+                if validators.ipv4(ip, private=True):
+                    raise ValueError(ERROR_MESSAGES.INVALID_URL)
+            for ip in ipv6_addresses:
+                if validators.ipv6(ip, private=True):
                    raise ValueError(ERROR_MESSAGES.INVALID_URL)
-            except requests.exceptions.RequestException:
-                raise ValueError(ERROR_MESSAGES.INVALID_URL)
        return True
    elif isinstance(url, Sequence):
        return all(validate_url(u) for u in url)
@ -731,6 +736,17 @@ def validate_url(url: Union[str, Sequence[str]]):
        return False


+def resolve_hostname(hostname):
+    # Get address information
+    addr_info = socket.getaddrinfo(hostname, None)
+
+    # Extract IP addresses from address information
+    ipv4_addresses = [info[4][0] for info in addr_info if info[0] == socket.AF_INET]
+    ipv6_addresses = [info[4][0] for info in addr_info if info[0] == socket.AF_INET6]
+
+    return ipv4_addresses, ipv6_addresses
+
+
 def search_web(engine: str, query: str) -> list[SearchResult]:
    """Search the web using a search engine and return the results as a list of SearchResult objects.
    Will look for a search engine API key in environment variables in the following order:
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
 	"name": "open-webui",
-	"version": "0.3.3",
+	"version": "0.3.4",
 	"lockfileVersion": 3,
 	"requires": true,
 	"packages": {
 		"": {
 			"name": "open-webui",
-			"version": "0.3.3",
+			"version": "0.3.4",
 			"dependencies": {
 				"@codemirror/lang-javascript": "^6.2.2",
 				"@codemirror/lang-python": "^6.1.6",
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
 	"name": "open-webui",
-	"version": "0.3.3",
+	"version": "0.3.4",
 	"private": true,
 	"scripts": {
 		"dev": "npm run pyodide:fetch && vite dev --host",
--- a/src/app.html
+++ b/src/app.html
@ -121,7 +121,7 @@
 						id="progress-bar"
 						style="
 							position: absolute;
-							width: 100%;
+							width: 0%;
 							height: 0.75rem;
 							border-radius: 9999px;
 							background-color: #fff;
--- a/src/lib/apis/tools/index.ts
+++ b/src/lib/apis/tools/index.ts
@ -34,7 +34,7 @@ export const createNewTool = async (token: string, tool: object) => {
 export const getTools = async (token: string = '') => {
 	let error = null;

-	const res = await fetch(`${WEBUI_API_BASE_URL}/tools`, {
+	const res = await fetch(`${WEBUI_API_BASE_URL}/tools/`, {
 		method: 'GET',
 		headers: {
 			Accept: 'application/json',
--- a/src/lib/components/admin/Settings/Documents.svelte
+++ b/src/lib/components/admin/Settings/Documents.svelte
@ -166,6 +166,8 @@
 				chunk_size: chunkSize
 			}
 		});
+
+		await updateQuerySettings(localStorage.token, querySettings);
 	};

 	const setEmbeddingConfig = async () => {