From 522d98936f3995480fe3132b55415d74298d6790 Mon Sep 17 00:00:00 2001 From: Cory Dolphin Date: Sun, 30 Aug 2020 15:35:30 -0600 Subject: [PATCH] Release version 3.0.9 (#273) --- CHANGELOG.md | 6 ++++++ flask_cors/version.py | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 58671b0..7245c14 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Change Log +## 3.0.9 +### Security + - Escape path before evaluating resource rules (thanks to Colby Morgan). Prior to this, flask-cors incorrectly + evaluated CORS resource matching before path expansion. E.g. "/api/../foo.txt" would incorrectly match resources for + "/api/*" whereas the path actually expands simply to "/foo.txt" + ## 3.0.8 Fixes : DeprecationWarning: Using or importing the ABCs from 'collections' in Python 3.7. Thank you @juanmaneo and @jdevera for the contribution. diff --git a/flask_cors/version.py b/flask_cors/version.py index 8a7ae5d..f3b2d6d 100644 --- a/flask_cors/version.py +++ b/flask_cors/version.py @@ -1 +1 @@ -__version__ = '3.0.8' +__version__ = '3.0.9'