Release version 3.0.9 (#273)

corydolphin · web-flow · commit 522d98936f39 · 2020-08-30T15:35:30.000-06:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Change Log
 
+## 3.0.9
+### Security
+ - Escape path before evaluating resource rules (thanks to Colby Morgan). Prior to this, flask-cors incorrectly
+ evaluated CORS resource matching before path expansion. E.g. "/api/../foo.txt" would incorrectly match resources for
+ "/api/*" whereas the path actually expands simply to "/foo.txt"
+
 ## 3.0.8
 Fixes : DeprecationWarning: Using or importing the ABCs from 'collections' in Python 3.7.
 Thank you @juanmaneo and @jdevera for the contribution.
diff --git a/flask_cors/version.py b/flask_cors/version.py
@@ -1 +1 @@
-__version__ = '3.0.8'
+__version__ = '3.0.9'
