Gradio has an Open Redirect in its OAuth Flow

# Summary The _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). ## Details ```python def _redirect_to_target(request, default_target="/"): target = request.query_params.get("_target_url", default_target) return RedirectResponse(target) # No validation ``` An attacker can craft a URL like https://my-space.hf.space/logout?_target_url=https://evil.com/phishing that redirects the user to an external site after logout. Because the URL originates from a trusted hf.space domain, users are more likely to trust the link. ## Impact Phishing — an attacker can use the trusted domain to redirect users to a malicious site. No direct data exposure or server-side impact. ## Fix The _target_url parameter is now sanitized to only use the path, query, and fragment, stripping any scheme or host.