From 737ded695913de99db88d90384bde552d297dde9 Mon Sep 17 00:00:00 2001
From: oobabooga <112222186+oobabooga@users.noreply.github.com>
Date: Mon, 16 Mar 2026 05:37:46 -0700
Subject: [PATCH] Web search: Fix SSRF validation to block all non-global IPs

---
 modules/web_search.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/web_search.py b/modules/web_search.py
index 9bebc846..e13ef62a 100644
--- a/modules/web_search.py
+++ b/modules/web_search.py
@@ -28,8 +28,8 @@ def _validate_url(url):
     try:
         for family, _, _, _, sockaddr in socket.getaddrinfo(hostname, None):
             ip = ipaddress.ip_address(sockaddr[0])
-            if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_reserved:
-                raise ValueError(f"Access to private/internal address {ip} is blocked")
+            if not ip.is_global:
+                raise ValueError(f"Access to non-public address {ip} is blocked")
     except socket.gaierror:
         raise ValueError(f"Could not resolve hostname: {hostname}")