From 83faa0086d7bb816ea4b84148610a7cfe751e538 Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Thu, 8 Sep 2011 03:36:52 -0400
Subject: - Within ``pyramid.traversal.traversal_path`` , canonicalize URL
 segments   from UTF-8 to Unicode before checking whether a segment matches
 literally   one of ``.``, the empty string, or ``..`` in case there's some
 sneaky way   someone might tunnel those strings via UTF-8 that don't match
 the literals   before decoded.

---
 CHANGES.txt | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'CHANGES.txt')

diff --git a/CHANGES.txt b/CHANGES.txt
index a946805bc..0afc57404 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -16,6 +16,17 @@ Bug Fixes
   inappropriately URL-quoted path segments in filenames when asking for files
   from the filesystem.
 
+- Within ``pyramid.traversal.traversal_path`` , canonicalize URL segments
+  from UTF-8 to Unicode before checking whether a segment matches literally
+  one of ``.``, the empty string, or ``..`` in case there's some sneaky way
+  someone might tunnel those strings via UTF-8 that don't match the literals
+  before decoded.
+
+Features
+--------
+
+- Belt-and-suspenders security measure: canonicalize encoded URL
+
 Documentation
 -------------
 
-- 
cgit v1.2.3