From 50bde8b7f2edf89b56805ad9fb30ac3833eb6d65 Mon Sep 17 00:00:00 2001
From: Michael Lazar <mlazar@doctorondemand.com>
Date: Sun, 24 May 2020 21:29:19 -0400
Subject: [PATCH 1/2] Fix a security vulnerability that allowed maliciously
 crafted URLs to break out of the root server directory.

---
 CHANGELOG.md | 11 ++++++++---
 jetforce.py  |  2 +-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fcec033..7ff5687 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,11 +2,16 @@
 
 ### Unreleased
 
-### v0.2.2 (2012-03-31)
+### v0.2.3 (2020-05-24)
+
+- Fix a security vulnerability that allowed maliciously crafted URLs to break
+  out of the root server directory.
+
+### v0.2.2 (2020-03-31)
 
 - Fix a regression in path matching for the static directory application.
   
-### v0.2.1 (2012-03-31)
+### v0.2.1 (2020-03-31)
 
 - A hostname can now be specified in the route pattern, to facilitate running
   multiple vhosts on a single jetforce server.
@@ -17,7 +22,7 @@
 - Added the following CGI variables for client certificates:
   TLS_CLIENT_NOT_BEFORE, TLS_CLIENT_NOT_AFTER, TLS_CLIENT_SERIAL_NUMBER
 
-### v0.2.0 (2012-01-21)
+### v0.2.0 (2020-01-21)
 
 #### Features
 
diff --git a/jetforce.py b/jetforce.py
index 8f33a9a..fb15299 100755
--- a/jetforce.py
+++ b/jetforce.py
@@ -298,7 +298,7 @@ class StaticDirectoryApplication(JetforceApplication):
         url_path = pathlib.Path(request.path.strip("/"))
 
         filename = pathlib.Path(os.path.normpath(str(url_path)))
-        if filename.is_absolute() or str(filename.name).startswith(".."):
+        if filename.is_absolute() or str(filename).startswith(".."):
             # Guard against breaking out of the directory
             return Response(Status.NOT_FOUND, "Not Found")
 

From 524df0d56a84ed1d8a76ed5240416de04ab94010 Mon Sep 17 00:00:00 2001
From: Michael Lazar <mlazar@doctorondemand.com>
Date: Sun, 24 May 2020 21:31:41 -0400
Subject: [PATCH 2/2] Upping version

---
 jetforce.py | 2 +-
 setup.py    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/jetforce.py b/jetforce.py
index fb15299..43daf78 100755
--- a/jetforce.py
+++ b/jetforce.py
@@ -54,7 +54,7 @@ import urllib.parse
 if sys.version_info < (3, 7):
     sys.exit("Fatal Error: jetforce requires Python 3.7+")
 
-__version__ = "0.2.2"
+__version__ = "0.2.3"
 __title__ = "Jetforce Gemini Server"
 __author__ = "Michael Lazar"
 __license__ = "Floodgap Free Software License"
diff --git a/setup.py b/setup.py
index 7d0e464..135c224 100644
--- a/setup.py
+++ b/setup.py
@@ -10,7 +10,7 @@ def long_description():
 
 setuptools.setup(
     name="Jetforce",
-    version="0.2.2",
+    version="0.2.3",
     url="https://github.com/michael-lazar/jetforce",
     license="Other/Proprietary License",
     author="Michael Lazar",