fix potential ssrf attack in #12663 (268dc9b3) · Commits · github_fork / Stable Diffusion Webui

modules/api/api.py

+22 −1

Original line number	Diff line number	Diff line
		@@ -4,6 +4,8 @@ import os
		import time
		import datetime
		import uvicorn
		import ipaddress
		import requests
		import gradio as gr
		from threading import Lock
		from io import BytesIO
		@@ -56,8 +58,27 @@ def setUpscalers(req: dict):


		def decode_base64_to_image(encoding):
		def verify_url(url):
		import socket
		from urllib.parse import urlparse
		try:
		parsed_url = urlparse(url)
		domain_name = parsed_url.netloc
		host = socket.gethostbyname_ex(domain_name)
		for ip in host[2]:
		ip_addr = ipaddress.ip_address(ip)
		# https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Address.is_global
		if not ip_addr.is_global:
		return False
		except Exception:
		return False

		return True

		if encoding.startswith("http://") or encoding.startswith("https://"):
		import requests
		if not verify_url(encoding):
		raise HTTPException(status_code=500, detail="Invalid image url")

		response = requests.get(encoding, timeout=30, headers={'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36'})
		try:
		image = Image.open(BytesIO(response.content))