Skip to content

Bump flask-cors from 3.0.8 to 3.0.9

Norman Ziegner requested to merge dependabot/pip/flask-cors-3.0.9 into master

Bumps flask-cors from 3.0.8 to 3.0.9.

Release notes

Sourced from flask-cors's releases.

Release 3.0.9

Security

  • Escape path before evaluating resource rules (thanks @praetorian-colby-morgan). Prior to this, flask-cors incorrectly evaluated CORS resource matching before path expansion. E.g. "/api/../foo.txt" would incorrectly match resources for "/api/*" whereas the path actually expands simply to "/foo.txt"
Changelog

Sourced from flask-cors's changelog.

3.0.9

Security

  • Escape path before evaluating resource rules (thanks to Colby Morgan). Prior to this, flask-cors incorrectly evaluated CORS resource matching before path expansion. E.g. "/api/../foo.txt" would incorrectly match resources for "/api/*" whereas the path actually expands simply to "/foo.txt"
Commits
  • 91babb9 Update Api docs for credentialed requests (#221)
  • 522d989 Release version 3.0.9 (#273)
  • 67c4b2c Fix request path normalization (#272)
  • 5c6e05e docs: Fix simple typo, garaunteed -> guaranteed
  • 566aef2 Fixed over-indentation
  • 8a4e6e7 Update changelog to give proper kudos to @juanmaneo and @jdevera
  • See full diff in compare view

Merge request reports

Loading