Skip to content

[Small] Prevent bypassing media domain restriction via HTTP redirects #26035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 2, 2025
Merged

[Small] Prevent bypassing media domain restriction via HTTP redirects #26035

merged 3 commits into from
Oct 2, 2025

Conversation

@huachenheli
Copy link
Contributor

@huachenheli huachenheli commented Oct 1, 2025
edited by github-actions bot
Loading

Purpose

Addresses comment from Gemini in #25783 to prevent bypassing media domain restriction via HTTP redirects.

Test Plan

VLLM_MEDIA_URL_ALLOW_REDIRECTS=0 CUDA_VISIBLE_DEVICES=7 vllm serve Qwen/Qwen2.5-VL-3B-Instruct --port 8001 --host 0.0.0.0 --dtype bfloat16 --limit-mm-per-prompt '{"image": 1, "video":1}'

Test Result

Essential Elements of an Effective PR Description Checklist
  • The purpose of the PR, such as "Fix some issue (link existing issues this PR will resolve)".
  • The test plan, such as providing test command.
  • The test results, such as pasting the results comparison before and after, or e2e results
  • (Optional) The necessary documentation update, such as updating supported_models.md and examples for a new model.
  • (Optional) Release notes update. If your change is user facing, please update the release notes draft in the Google Doc.

@mergify mergify bot added documentation Improvements or additions to documentation multi-modality Related to multi-modality (#4194) labels Oct 1, 2025
gemini-code-assist[bot]
gemini-code-assist bot reviewed Oct 1, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request effectively addresses a security concern by introducing a mechanism to prevent bypassing media domain restrictions via HTTP redirects. The implementation adds a new environment variable, VLLM_MEDIA_URL_ALLOW_REDIRECTS, and correctly propagates the allow_redirects flag through the necessary function calls to the underlying HTTP clients. The documentation has also been updated accordingly. I have one suggestion to improve type consistency in the environment variable definition, which will enhance code clarity and maintainability.

@huachenheli
address comments
5e29dcc 
Signed-off-by: Chenheli Hua <[email protected]>
@DarkLight1337 DarkLight1337 added this to the v0.11.0 Cherry Picks milestone Oct 2, 2025
DarkLight1337
DarkLight1337 reviewed Oct 2, 2025
View reviewed changes
DarkLight1337
DarkLight1337 reviewed Oct 2, 2025
View reviewed changes
Copy link
Member

@DarkLight1337 DarkLight1337 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @russellb

@huachenheli
address comments
d2ee052 
Signed-off-by: Chenheli Hua <[email protected]>
@DarkLight1337 DarkLight1337 enabled auto-merge (squash) October 2, 2025 16:18
@github-actions github-actions bot added the ready ONLY add when PR is ready to merge/full CI is needed label Oct 2, 2025
@simon-mo simon-mo disabled auto-merge October 2, 2025 17:26
@simon-mo simon-mo merged commit ad87ba9 into vllm-project:main Oct 2, 2025
16 of 19 checks passed
@simon-mo
Copy link
Collaborator

simon-mo commented Oct 2, 2025

force merging to unblock release

simon-mo pushed a commit that referenced this pull request Oct 2, 2025
@huachenheli @simon-mo
[Small] Prevent bypassing media domain restriction via HTTP redirects (
9d9a2b7 
…#26035)

Signed-off-by: Chenheli Hua <[email protected]>
Signed-off-by: simon-mo <[email protected]>
pdasigi pushed a commit to pdasigi/vllm that referenced this pull request Oct 2, 2025
@huachenheli @pdasigi
[Small] Prevent bypassing media domain restriction via HTTP redirects (
4937686 
…vllm-project#26035)

Signed-off-by: Chenheli Hua <[email protected]>
@huachenheli huachenheli deleted the security branch October 2, 2025 22:55
yewentao256 pushed a commit that referenced this pull request Oct 3, 2025
@huachenheli @yewentao256
[Small] Prevent bypassing media domain restriction via HTTP redirects (
c5880cf 
…#26035)

Signed-off-by: Chenheli Hua <[email protected]>
Signed-off-by: yewentao256 <[email protected]>
tomeras91 pushed a commit to tomeras91/vllm that referenced this pull request Oct 6, 2025
@huachenheli @tomeras91
[Small] Prevent bypassing media domain restriction via HTTP redirects (
a26a1d3 
…vllm-project#26035)

Signed-off-by: Chenheli Hua <[email protected]>
Signed-off-by: Tomer Asida <[email protected]>
southfreebird pushed a commit to southfreebird/vllm that referenced this pull request Oct 7, 2025
@huachenheli @southfreebird
[Small] Prevent bypassing media domain restriction via HTTP redirects (
98321bc 
…vllm-project#26035)

Signed-off-by: Chenheli Hua <[email protected]>
xuebwang-amd pushed a commit to xuebwang-amd/vllm that referenced this pull request Oct 10, 2025
@huachenheli @xuebwang-amd
[Small] Prevent bypassing media domain restriction via HTTP redirects (
9af276f 
…vllm-project#26035)

Signed-off-by: Chenheli Hua <[email protected]>
Signed-off-by: xuebwang-amd <[email protected]>
choprahetarth pushed a commit to Tandemn-Labs/vllm that referenced this pull request Oct 11, 2025
@huachenheli @choprahetarth
[Small] Prevent bypassing media domain restriction via HTTP redirects (
4931b7e 
…vllm-project#26035)

Signed-off-by: Chenheli Hua <[email protected]>
Signed-off-by: simon-mo <[email protected]>
shyeh25 pushed a commit to shyeh25/vllm that referenced this pull request Oct 14, 2025
@huachenheli @shyeh25
Prevent bypassing media domain restriction via HTTP redirects (vllm-p…
f26b37a 
…roject#26035)

Signed-off-by: Chenheli Hua <[email protected]>
Signed-off-by: simon-mo <[email protected]>
lywa1998 pushed a commit to lywa1998/vllm that referenced this pull request Oct 20, 2025
@huachenheli @lywa1998
[Small] Prevent bypassing media domain restriction via HTTP redirects (
132532f 
…vllm-project#26035)

Signed-off-by: Chenheli Hua <[email protected]>
alhridoy pushed a commit to alhridoy/vllm that referenced this pull request Oct 24, 2025
@huachenheli @alhridoy
[Small] Prevent bypassing media domain restriction via HTTP redirects (
f0da208 
…vllm-project#26035)

Signed-off-by: Chenheli Hua <[email protected]>
xuebwang-amd pushed a commit to xuebwang-amd/vllm that referenced this pull request Oct 24, 2025
@huachenheli @xuebwang-amd
[Small] Prevent bypassing media domain restriction via HTTP redirects (
f154a9c 
…vllm-project#26035)

Signed-off-by: Chenheli Hua <[email protected]>
Signed-off-by: xuebwang-amd <[email protected]>
rtourgeman pushed a commit to rtourgeman/vllm that referenced this pull request Nov 10, 2025
@huachenheli @rtourgeman
[Small] Prevent bypassing media domain restriction via HTTP redirects (
82a1121 
…vllm-project#26035)

Signed-off-by: Chenheli Hua <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DarkLight1337 DarkLight1337 DarkLight1337 approved these changes

@ywang96 ywang96 Awaiting requested review from ywang96 ywang96 is a code owner

@NickLucche NickLucche Awaiting requested review from NickLucche NickLucche is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation multi-modality Related to multi-modality (#4194) ready ONLY add when PR is ready to merge/full CI is needed

Projects

None yet

Milestone

v0.11.0 Cherry Picks

Development

Successfully merging this pull request may close these issues.

3 participants

@huachenheli @simon-mo @DarkLight1337