New Dancer trial version released

David Precious has just released a new trial version of Dancer. There are some rather significant changes under the hood, and community testing and feedback is welcomed and encouraged.

Please find us here, Github, Twitter, or on irc.perl.org#dancer with any questions, problems, or feedback.

Thanks! Keep dancing!

Dancer2 0.206000 released, addresses potential security issues

Dancer2 0.206000 has been released, and it is recommended that all users of Dancer2 should upgrade as soon as it is feasible to address several potential security issues:

  • There is a potential RCE with regards to Storable. We have added session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE. Please see the Storable documentation for more information.

  • We have changed from HTTP::Body to HTTP::Entity::Parser (the same as Plack uses) for parsing requests. Apart from being faster, this change also resolves a situation when forwarding requests where the request body could be re-parsed without correctly seeking a filehandle to the beginning of the request body, potentially resulting in an infinite loop. The implementation using HTTP::Entity::Parser does not require the request body to be re-parsed. This addresses a potential DoS attack vector.

In addition to the security fixes, this release offers a number of bug fixes and documentation enhancements. Thanks to all who contributed, both old and new. The complete changelog is as follows:

0.206000  2018-04-19 22:09:46-04:00 America/New_York

[ BUG FIXES ]
* GH #1090, #1406: Replace HTTP::Body with HTTP::Entity::Parser in
  Dancer2::Core::Request. (Russell @veryrusty Jenkins)
* GH #1292: Fix multiple attribute definitions within Plugins
  (Nigel Gregoire)
* GH #1304: Fix the order by which config files are loaded, independently
  of their filename extension (Alberto Simões, Russell @veryrusty Jenkins)
* GH #1400: Fix infinite recursion with exceptions that use circular
  references. (Andre Walker)
* GH #1430: Fix `dancer2 gen` from source directory when Dancer2 not
  installed. (Tina @perlpunk Müller - Tina)
* GH #1434: Add `validate_id` method to verify a session id before
  requesting the session engine fetch it from its data store.
  (Russell @veryrusty Jenkins)
* GH #1435, #1438: Allow XS crush_cookie methods to return an arrayref
  of values. (Russell @veryrusty Jenkins)
* GH #1443: Update copyright year (Joseph Frazer)
* GH #1445: Use latest HTTP::Headers::Fast (Russell @veryrusty Jenkins)
* PR #1447: Fix missing build requires (Mohammad S Anwar)

[ ENHANCEMENTS ]
* PR #1354: TemplateToolkit template engine will log (at debug level)
  if a template is not found. (Kiel R Stirling, Russell @veryrusty Jenkins)
* GH #1432: Support Content-Disposition of inline in
  send_file() (Dave Webb)
* PR #1433: Verbose testing in AppVeyor (Graham Knop)

[ DOCUMENTATION ]
* GH #1314: Documentation tweaks (David Precious)
* GH #1317: Document serializer configuration (sdeseille)
* GH #1386: Add Hello World example (Gabor Szabo)
* PR #1408: List project development resources (Steve Dondley)
* PR #1426: Move performance improvement information from Migration guide
  to Deployment (Pedro Melo)

Thank you to our outstanding community and contributors. Keep on dancing!

CromeDome

Dancer2 0.206000_02 Trial Released

This is a quick update to yesterday's Dancer2 release to fix a couple of minor issues reported by the community. Please see the Changes file for details.

Thank you for the swift feedback! We are targeting an official release on or before April 20th.

Keep Dancing!

Dancer2 0.206000_01 trial version released

A trial release of Dancer2 (0.206000_01) was just uploaded, and should be available on your local mirror soon. This release addresses some couple of potential security exploits, and could use some scrutiny prior to an official release.

Please see the release for the full list of changes.

There will be a coordinated Dancer/Dancer2 release in the near future with more detail. In the meanwhile, the more eyes on this, the better. Please leave us your feedback through the usual channels (IRC, email, github, etc.).

Thanks. Keep dancing!

Dancer2 0.205002 released; survey update

Dancer2 0.205002 has just been released and is on its way to your favorite CPAN mirror. Highlights include a number of documentation improvements (thank you, simbabque and ambs!) and the fixing of some lingering and pesky bugs (thanks to Nick Tonkin, Pierre Vigier, and our very own bigpresh, ambs, and veryrusty).

The full changelog is as follows:

0.205002  2017-10-17 16:08:25-05:00 America/Chicago

[ BUG FIXES ]
* GH #1362: Make cookies http_only by default (David Precious)
* GH #1366: Use proper shebang on dancer script and make EU::MM do the job
* GH #1373: Unset Dancer environment vars before testing (Alberto Simões)
* GH #1380: Consider class of error displayed when using show_errors
  (Nick Tonkin).
* GH #1383: Remove Deflater from default app skeleton (Pierre Vigier)
* GH #1385: Fix links inside the documentation (Alberto Simões)
* GH #1390: Honour no_server_tokens config in error responses (Russell
  @veryrusty Jenkins)

[ DOCUMENTATION ]
* GH #1285: Add "Default Template Variables" section to manual (simbabque)
* GH #1312: Fix docs for Dancer2::Core::Route->match, which takes a request
  object (simbabque).
* GH #1368: Don't allow XSS in tutorial (simbabque)
* GH #1383: Remove full URL on links to third party modules (Alberto Simoes)
* GH #1395: Customize TT behavior via subclassing (simbabque).

There’s two weeks left in the Dancer 2017 Survey! We have received close to 100 responses now, and are still looking for more. Your input is valuable in charting the future of Dancer. If you have yet to fill out the survey, there’s still time. Responses will be accepted until 11:59 PM on October 31st.

Until then, keep on Dancing!