diff options
| author | Chris McDonough <chrism@plope.com> | 2011-09-08 03:36:52 -0400 |
|---|---|---|
| committer | Chris McDonough <chrism@plope.com> | 2011-09-08 03:36:52 -0400 |
| commit | 83faa0086d7bb816ea4b84148610a7cfe751e538 (patch) | |
| tree | cd5c16ae50884114807d8630dd651ebd30016f2a /CHANGES.txt | |
| parent | b01e971f204184e2ede685183d62d390a9081c74 (diff) | |
| download | pyramid-83faa0086d7bb816ea4b84148610a7cfe751e538.tar.gz pyramid-83faa0086d7bb816ea4b84148610a7cfe751e538.tar.bz2 pyramid-83faa0086d7bb816ea4b84148610a7cfe751e538.zip | |
- Within ``pyramid.traversal.traversal_path`` , canonicalize URL segments
from UTF-8 to Unicode before checking whether a segment matches literally
one of ``.``, the empty string, or ``..`` in case there's some sneaky way
someone might tunnel those strings via UTF-8 that don't match the literals
before decoded.
Diffstat (limited to 'CHANGES.txt')
| -rw-r--r-- | CHANGES.txt | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index a946805bc..0afc57404 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -16,6 +16,17 @@ Bug Fixes inappropriately URL-quoted path segments in filenames when asking for files from the filesystem. +- Within ``pyramid.traversal.traversal_path`` , canonicalize URL segments + from UTF-8 to Unicode before checking whether a segment matches literally + one of ``.``, the empty string, or ``..`` in case there's some sneaky way + someone might tunnel those strings via UTF-8 that don't match the literals + before decoded. + +Features +-------- + +- Belt-and-suspenders security measure: canonicalize encoded URL + Documentation ------------- |