forked from open-webui/open-webui
Merge pull request from GHSA-39wr-r5vm-3jxj
fix: allowed hosts
This commit is contained in:
commit
554e56687c
1 changed files with 7 additions and 0 deletions
|
@ -970,6 +970,13 @@ def parse_huggingface_url(hf_url):
|
||||||
async def download_file_stream(
|
async def download_file_stream(
|
||||||
ollama_url, file_url, file_path, file_name, chunk_size=1024 * 1024
|
ollama_url, file_url, file_path, file_name, chunk_size=1024 * 1024
|
||||||
):
|
):
|
||||||
|
allowed_hosts = ["https://huggingface.co/", "https://github.com/"]
|
||||||
|
|
||||||
|
if not any(file_url.startswith(host) for host in allowed_hosts):
|
||||||
|
raise ValueError(
|
||||||
|
"Invalid file_url. Only URLs from allowed hosts are permitted."
|
||||||
|
)
|
||||||
|
|
||||||
done = False
|
done = False
|
||||||
|
|
||||||
if os.path.exists(file_path):
|
if os.path.exists(file_path):
|
||||||
|
|
Loading…
Reference in a new issue