From c2cb64d3f8fca18d02149971b92c2707ca1814ff Mon Sep 17 00:00:00 2001
From: pragnyanramtha <pragnyanramtha@gmail.com>
Date: Sat, 16 May 2026 14:36:55 +0000
Subject: [PATCH] fix: reject non-default OpenAI base URL ports

---
 src/agents/models/openai_client_utils.py | 11 ++++++++++-
 tests/models/test_openai_client_utils.py |  8 ++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/agents/models/openai_client_utils.py b/src/agents/models/openai_client_utils.py
index 7f81d1efc1..a985ba417d 100644
--- a/src/agents/models/openai_client_utils.py
+++ b/src/agents/models/openai_client_utils.py
@@ -7,8 +7,17 @@
 
 def is_official_openai_base_url(base_url: object, *, websocket: bool = False) -> bool:
     parsed = urlsplit(str(base_url))
+    try:
+        port = parsed.port
+    except ValueError:
+        return False
+
     expected_scheme = "wss" if websocket else "https"
-    return parsed.scheme == expected_scheme and parsed.hostname == "api.openai.com"
+    return (
+        parsed.scheme == expected_scheme
+        and parsed.hostname == "api.openai.com"
+        and port in (None, 443)
+    )
 
 
 def is_official_openai_client(client: AsyncOpenAI) -> bool:
diff --git a/tests/models/test_openai_client_utils.py b/tests/models/test_openai_client_utils.py
index dabd1f4d6e..b676459f64 100644
--- a/tests/models/test_openai_client_utils.py
+++ b/tests/models/test_openai_client_utils.py
@@ -13,6 +13,7 @@
     [
         "https://api.openai.com",
         "https://api.openai.com/v1/",
+        "https://api.openai.com:443/v1/",
     ],
 )
 def test_official_openai_base_url_matches_exact_host(base_url: str) -> None:
@@ -24,6 +25,9 @@ def test_official_openai_base_url_matches_exact_host(base_url: str) -> None:
     [
         "https://api.openai.com.evil/v1/",
         "https://api.openai.com.proxy.local/v1/",
+        "https://api.openai.com:444/v1/",
+        "https://api.openai.com:99999/v1/",
+        "https://api.openai.com:abc/v1/",
         "http://api.openai.com/v1/",
         "https://custom.example.test/v1/",
     ],
@@ -34,9 +38,13 @@ def test_official_openai_base_url_rejects_non_openai_hosts(base_url: str) -> Non
 
 def test_official_openai_websocket_base_url_matches_exact_host() -> None:
     assert is_official_openai_base_url("wss://api.openai.com/v1/", websocket=True) is True
+    assert is_official_openai_base_url("wss://api.openai.com:443/v1/", websocket=True) is True
     assert (
         is_official_openai_base_url("wss://api.openai.com.proxy.local/v1/", websocket=True) is False
     )
+    assert is_official_openai_base_url("wss://api.openai.com:444/v1/", websocket=True) is False
+    assert is_official_openai_base_url("wss://api.openai.com:99999/v1/", websocket=True) is False
+    assert is_official_openai_base_url("wss://api.openai.com:abc/v1/", websocket=True) is False
 
 
 def test_official_openai_client_rejects_client_without_base_url() -> None: