From 681fd4ff3b4b528ee6fbbbba5f74bbf26e19379a Mon Sep 17 00:00:00 2001 From: "Timothy J. Baek" Date: Wed, 12 Jun 2024 10:55:26 -0700 Subject: [PATCH 1/4] fix: tools api --- src/lib/apis/tools/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/apis/tools/index.ts b/src/lib/apis/tools/index.ts index 47a535cdf..9c620e7b5 100644 --- a/src/lib/apis/tools/index.ts +++ b/src/lib/apis/tools/index.ts @@ -34,7 +34,7 @@ export const createNewTool = async (token: string, tool: object) => { export const getTools = async (token: string = '') => { let error = null; - const res = await fetch(`${WEBUI_API_BASE_URL}/tools`, { + const res = await fetch(`${WEBUI_API_BASE_URL}/tools/`, { method: 'GET', headers: { Accept: 'application/json', From 529fcaa5c95dbb499a5fc3e53b4d5ccb2d1cc7b5 Mon Sep 17 00:00:00 2001 From: "Timothy J. Baek" Date: Wed, 12 Jun 2024 11:07:04 -0700 Subject: [PATCH 2/4] fix: document query save --- src/lib/components/admin/Settings/Documents.svelte | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/lib/components/admin/Settings/Documents.svelte b/src/lib/components/admin/Settings/Documents.svelte index 0e6527813..ab8996d92 100644 --- a/src/lib/components/admin/Settings/Documents.svelte +++ b/src/lib/components/admin/Settings/Documents.svelte @@ -166,6 +166,8 @@ chunk_size: chunkSize } }); + + await updateQuerySettings(localStorage.token, querySettings); }; const setEmbeddingConfig = async () => { From 1163745a035b74b2cee7a97b13e37eafacb25dde Mon Sep 17 00:00:00 2001 From: "Timothy J. Baek" Date: Wed, 12 Jun 2024 11:08:05 -0700 Subject: [PATCH 3/4] revert --- backend/apps/rag/main.py | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/backend/apps/rag/main.py b/backend/apps/rag/main.py index 113e60ea8..0e493eaaa 100644 --- a/backend/apps/rag/main.py +++ b/backend/apps/rag/main.py @@ -717,13 +717,18 @@ def validate_url(url: Union[str, Sequence[str]]): if isinstance(validators.url(url), validators.ValidationError): raise ValueError(ERROR_MESSAGES.INVALID_URL) if not ENABLE_RAG_LOCAL_WEB_FETCH: - # Check if the URL exists by making a HEAD request - try: - response = requests.head(url, allow_redirects=True) - if response.status_code != 200: + # Local web fetch is disabled, filter out any URLs that resolve to private IP addresses + parsed_url = urllib.parse.urlparse(url) + # Get IPv4 and IPv6 addresses + ipv4_addresses, ipv6_addresses = resolve_hostname(parsed_url.hostname) + # Check if any of the resolved addresses are private + # This is technically still vulnerable to DNS rebinding attacks, as we don't control WebBaseLoader + for ip in ipv4_addresses: + if validators.ipv4(ip, private=True): + raise ValueError(ERROR_MESSAGES.INVALID_URL) + for ip in ipv6_addresses: + if validators.ipv6(ip, private=True): raise ValueError(ERROR_MESSAGES.INVALID_URL) - except requests.exceptions.RequestException: - raise ValueError(ERROR_MESSAGES.INVALID_URL) return True elif isinstance(url, Sequence): return all(validate_url(u) for u in url) @@ -731,6 +736,17 @@ def validate_url(url: Union[str, Sequence[str]]): return False +def resolve_hostname(hostname): + # Get address information + addr_info = socket.getaddrinfo(hostname, None) + + # Extract IP addresses from address information + ipv4_addresses = [info[4][0] for info in addr_info if info[0] == socket.AF_INET] + ipv6_addresses = [info[4][0] for info in addr_info if info[0] == socket.AF_INET6] + + return ipv4_addresses, ipv6_addresses + + def search_web(engine: str, query: str) -> list[SearchResult]: """Search the web using a search engine and return the results as a list of SearchResult objects. Will look for a search engine API key in environment variables in the following order: From 70a85d611195bf8e580606617001e2849f141e75 Mon Sep 17 00:00:00 2001 From: "Timothy J. Baek" Date: Wed, 12 Jun 2024 11:13:24 -0700 Subject: [PATCH 4/4] doc: changelog --- CHANGELOG.md | 8 ++++++++ package-lock.json | 4 ++-- package.json | 2 +- src/app.html | 2 +- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e5c8f7186..7d6653c59 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [0.3.4] - 2024-06-12 + +### Fixed + +- **🔒 Mixed Content with HTTPS Issue**: Resolved a problem where mixed content (HTTP and HTTPS) was causing security warnings and blocking resources on HTTPS sites. +- **🔍 Web Search Issue**: Addressed the problem where web search functionality was not working correctly. The `ENABLE_RAG_LOCAL_WEB_FETCH` option has been reintroduced to restore proper web searching capabilities. +- **💾 RAG Template Not Being Saved**: Fixed an issue where the RAG template was not being saved correctly, ensuring your custom templates are now preserved as expected. + ## [0.3.3] - 2024-06-12 ### Added diff --git a/package-lock.json b/package-lock.json index 5e2b811f3..f5b9d6a78 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "open-webui", - "version": "0.3.3", + "version": "0.3.4", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "open-webui", - "version": "0.3.3", + "version": "0.3.4", "dependencies": { "@codemirror/lang-javascript": "^6.2.2", "@codemirror/lang-python": "^6.1.6", diff --git a/package.json b/package.json index 12c213321..bf353ef7f 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "open-webui", - "version": "0.3.3", + "version": "0.3.4", "private": true, "scripts": { "dev": "npm run pyodide:fetch && vite dev --host", diff --git a/src/app.html b/src/app.html index 347a7e7fa..a79343df5 100644 --- a/src/app.html +++ b/src/app.html @@ -121,7 +121,7 @@ id="progress-bar" style=" position: absolute; - width: 100%; + width: 0%; height: 0.75rem; border-radius: 9999px; background-color: #fff;