From b8136c124a68d67e0e6f5f1559442cb7b24bf83d Mon Sep 17 00:00:00 2001
From: Cory Dolphin <cory@nextdoor.com>
Date: Sun, 30 Aug 2020 15:33:27 -0600
Subject: [PATCH] Release version 3.0.9

---
 CHANGELOG.md          | 6 ++++++
 flask_cors/version.py | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 58671b0..7245c14 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Change Log
 
+## 3.0.9
+### Security
+ - Escape path before evaluating resource rules (thanks to Colby Morgan). Prior to this, flask-cors incorrectly
+ evaluated CORS resource matching before path expansion. E.g. "/api/../foo.txt" would incorrectly match resources for
+ "/api/*" whereas the path actually expands simply to "/foo.txt"
+
 ## 3.0.8
 Fixes : DeprecationWarning: Using or importing the ABCs from 'collections' in Python 3.7.
 Thank you @juanmaneo and @jdevera for the contribution.
diff --git a/flask_cors/version.py b/flask_cors/version.py
index 8a7ae5d..f3b2d6d 100644
--- a/flask_cors/version.py
+++ b/flask_cors/version.py
@@ -1 +1 @@
-__version__ = '3.0.8'
+__version__ = '3.0.9'