Blocked Paths Fix

[freddyaboulton]

Description

Please include a concise summary, in clear English, of the changes in this pull request. If it closes an issue, please mention it here.

🎯 PRs Should Target Issues

Before your create a PR, please check to see if there is an existing issue for this change. If not, please create an issue before you create this PR, unless the fix is very small.

Not adhering to this guideline will result in the PR being closed.

Testing and Formatting Your Code

1. PRs will only be merged if tests pass on CI. We recommend at least running the backend tests locally, please set up your Gradio environment locally and run the backed tests: bash scripts/run_backend_tests.sh

2. Please run these bash scripts to automatically format your code: bash scripts/format_backend.sh, and (if you made any changes to non-Python files) bash scripts/format_frontend.sh

[gradio-pr-bot]

🪼 branch checks and previews

•	Name	Status	URL
	Spaces	ready!	Spaces preview
	Website	ready!	Website preview
🦄	Changes	detected!	Details

---

Install Gradio from this PR

pip install https://gradio-pypi-previews.s3.amazonaws.com/a8544007efc07ccbc89bbf85cee9044272d1a309/gradio-5.10.0-py3-none-any.whl

Install Gradio Python Client from this PR

pip install "gradio-client @ git+https://github.com/gradio-app/gradio@a8544007efc07ccbc89bbf85cee9044272d1a309#subdirectory=client/python"

Install Gradio JS Client from this PR

npm install https://gradio-npm-previews.s3.amazonaws.com/a8544007efc07ccbc89bbf85cee9044272d1a309/gradio-client-1.9.0.tgz

Use Lite from this PR

<script type="module" src="https://gradio-lite-previews.s3.amazonaws.com/a8544007efc07ccbc89bbf85cee9044272d1a309/dist/lite.js""></script>

[gradio-pr-bot]

🦄 change detected

This Pull Request includes changes to the following packages.

Package	Version
gradio	minor

• Maintainers can select this checkbox to manually select packages to update.

With the following changelog entry.

Blocked Paths Fix

Maintainers or the PR author can modify the PR title to modify this entry.

Something isn't right?

• Maintainers can change the version label to modify the version bump.
• If the bot has failed to detect any changes, or if this pull request needs to update multiple packages to different versions or requires a more comprehensive changelog entry, maintainers can update the changelog file directly.

[abidlabs]

The code changes look right but for some reason, I'm seeing some unexpected behavior when I test this PR.

(1) On one hand, the test pytest test/test_routes.py::TestRoutes::test_blocked_path_case_insensitive passes for me even without these changes. I'm testing on MacOS which should be case-insensitive

(2) On the other hand, when I try the repro from the GHSA-j2jg-fq62-7c3h, I can still access files I should not able to access, e.g.

http://127.0.0.1:7862/gradio_api/file=resources/ADMIN/credentials.txt

Let me know @freddyaboulton @dawoodkhan82 if you are not seeing this and I can did deeper to see if its an issue in my local environment.

[freddyaboulton]

@abidlabs - I modified the test so that it fails on main and passes in the PR. Good catch. The external repro always failed for me in this PR though.

[abidlabs]

LGTM thanks @freddyaboulton for updating the test! I figured out the issue was that I wasn't providing absolute paths for blocked_paths and allowed_paths (as per the repro). With absolute paths, the behavior is as expected!