From 1488830de126d3bad3ce375cf8fc2e5310e35e28 Mon Sep 17 00:00:00 2001
From: Alexander Neumann <alexander@bumpern.de>
Date: Sat, 12 Sep 2020 17:54:47 +0200
Subject: [PATCH] Add entry to changelog

---
 changelog/unreleased/issue-117 | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 changelog/unreleased/issue-117

diff --git a/changelog/unreleased/issue-117 b/changelog/unreleased/issue-117
new file mode 100644
index 0000000..5bfc896
--- /dev/null
+++ b/changelog/unreleased/issue-117
@@ -0,0 +1,19 @@
+Security: Stricter path sanitization
+
+The framework we're using in rest-server to decode paths to repositories
+allowed specifying URL-encoded characters in paths, including sensitive
+characters such as `/` (encoded as `%2F`).
+
+We've changed this unintended behavior, such that rest-server now rejects
+such paths. In particular, it is no longer possible to specify sub-repositories
+for users by encoding the path with `%2F`, such as `http://localhost:8000/foo%2Fbar`,
+which means that this will unfortunately be a breaking change in that case.
+
+If using sub-repositories for users is important to you, please let us know in
+the forum, so we can learn about your use case and implement this properly. As
+it currently stands, the ability to use sub-repositories was an unintentional
+feature made possible by the URL decoding framework used, and hence never meant
+to be supported in the first place. If we wish to have this feature in
+rest-server, we'd like to have it implemented properly and intentionally.
+
+https://github.com/restic/rest-server/issues/117