gradio

010ee63f - fix: open-redirect bypass in oauth._redirect_to_target (4+ leading slashes) (#13438)

fix: open-redirect bypass in oauth._redirect_to_target (4+ leading slashes) (#13438) The CVE-2026-28415 fix stripped scheme/host via `urlparse(target).path`, but `urlparse` keeps 4+ leading slashes in `.path` (e.g. "////evil.com/foo" -> "//evil.com/foo"). The function echoed that scheme-relative value as the redirect Location, which browsers resolve against the current scheme, sending the user to an external host — fully restoring the open redirect (CWE-601, GHSA-vwgg-rgg9-xx9q). Collapse any leading slashes/backslashes so the redirect target is always a single-slash, same-origin path. Backslashes are collapsed too since browsers treat them as path separators. Add a regression test driving `_redirect_to_target` with multi-slash and backslash payloads (real Starlette Request, no mocks); verified it fails on the pre-fix implementation. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>