The commit diff shows critical modifications to _redirect_safe in login.py, replacing a check for parsed.netloc with a path-only comparison using urlunparse. This indicates the original implementation's validation was incomplete. The added test cases (///jupyter.org, /\some-host) demonstrate exploitation vectors the function previously allowed. The CVE description explicitly references 'empty netloc' handling as the root cause, directly tied to this redirect validation function.