Dancer2 0.203000 improves session security, fixes decoding bugs

Dancer2 0.203000 is on its way to a CPAN mirror near you. This version brings some important security improvements and bugfixes:

  • It is considered good security practice to change a session ID whenever any change in privilege level occurs (such as logging into an app). Not only is this a good practice, but it is a requirement of some established security standards. To account for this, a new method, change_session_id() was added to make it easy for developers to issue a new session ID on privilege change.

At some point in the not-too-distant future, session drivers will be required to implement a _change_id() method to support this. In the meantime, Dancer2 will perform the operation for session drivers that lack this method.

Thanks to Ctrl O and InfoSaaS for sponsoring SysPete’s work on this important functionality!

  • An error made it possible for a request to have serialized data that wouldn’t be deserialized into body_parameters if any middleware had previously created a Plack::Request object and parsed the request body. A bugfix by veryrusty forces deserialization of body data even when an existing Plack::Request object has already parsed the request body.

  • A bug introduced in Dancer2 0.200000 was double-decoding deserialized data. This has been fixed.

  • Three functions were introduced for developer convenience: code_mapping(), status_mapping() and all_mappings(). These methods allow your code to access copies of Dancer’s HTTP_CODES table, rather than having to copy the table for your own use. See the docs for Dancer2::Core::HTTP for more information.

  • Several documentation improvements were made by Racke, including documentation of a session’s data() method.

The full changelog is as follows:

0.203000  2016-08-24 22:09:56-05:00 America/Chicago

[ BUG FIXES ]
* GH #1232: Force deserialization of body data even when an existing 
  Plack::Request object has already parsed request body. Don't double
  decode deserialized data. (Russell Jenkins - @veryrusty)

[ ENHANCEMENTS ]
* GH #1195: Add change_session_id() method - both as a good security 
  practice and to comply with other established security standards.
  (Peter Mottram)
* GH #1234: Add convenience functions to access Dancer's HTTP_CODES
  table. (Yanick Champoux)

[ DOCUMENTATION ]
* Fix Typo (Stefan Hornburg - Racke)
* Document $session->data (Stefan Hornburg - Racke)

If you have any questions, please find us at irc.perl.org#dancer.

Just a reminder, the Dancer conference in Vienna, Austria is quickly approaching (it’s just a month away!). If you are interested in attending or giving a talk, please visit the conference website.

Happy Dancing!

Dancer 0.202000 allows plugins to call DSL (even of other plugins!) and fixes unicode support for parameter methods

Dancer2 0.202000 is on its way to a CPAN mirror near you, and brings several important bug fixes and enhancements.

Plugins may now easily call the application’s DSL using $self->dsl. For example, logging a debugging message is as easy as $self->dsl->debug( “I’m in your plugin!” ); Plugins can now also call the syntax of plugins that they have loaded. Consider this example:

Your Dancer2 application (MyApp) uses plugin Foo. Plugin Foo uses plugin Bar. Plugin Bar adds baz() to the DSL. Plugin Foo can now access baz() (just like the DSL in Dancer2 works), however, baz() is only accessible to the Foo plugin, not MyApp.

Please keep in mind that if plugin Bar adds any hooks, those hooks are added to MyApp, but Bar’s DSL is not available to MyApp.

The parameter methods in Dancer2 (body_parameters(), etc.) were not decoding Unicode values passed to them. All parameter methods are now decoding Unicode characters.

There have been several maintenance issues regarding Type::Tiny::XS, and these were causing compilation and runtime failures for users of Dancer2 on Strawberry Perl. Until these issues are resolved, we have returned to using MooX::Types::MooseLike for type checking. If you’re a plugin author, please check your plugin against this release as this change may require some reworking on your part. Please find us on irc.perl.org#dancer with any questions or help you may need.

A memory leak was uncovered in Dancer2::Plugin, and has been patched in this release. A test has been added to check for this in the future.

If you have HTTP::XSCookies installed, we will now use it, and cookie operations will be substantially faster.

The full changelog is as follows:

0.202000  2016-08-13 13:50:30-05:00 America/Chicago

[ BUG FIXES ]
* Fix memory leak in plugins. (Sawyer X)
* GH #1180, #1220: Revert (most of) GH #1120. Change back to using
  MooX::Types::MooseLike until issues around Type::Tiny are resolved.
  Peter (@SysPete) Mottram
* GH #1192: Decode body|query|request_parameters (Peter Mottram)
* GH #1224: Plugins defined with :PluginKeyword attribute are now 
  exported. (Yanick Champoux)
* GH #1226: Plugins can now call the DSL of the app via $self->dsl
  (Sawyer X)

[ ENHANCEMENTS ]
* PR #1223: Add YAML::XS to Recommends (Peter Mottram)
* PR #1117: If installed, use HTTP::XSCookies and all cookie operations 
  will be faster (Peter Mottram)
* PR #1228: Allow register_plugin() to pass @_ properly (Sawyer X)
* PR #1231: Plugins can now call the syntax of plugins they loaded 
  (Sawyer X)

[ DOCUMENTATION ]
* PR #1151: Note that config is immutable after first read (Peter Mottram)
* PR #1222: Update list of files generated by `dancer2 -a`, make name of 
  sample app consistent (Daniel Perrett)

If you have any questions, please find us at irc.perl.org#dancer.

Thank you to our amazing community and plugin developers for your continued support. Your questions, contributions, and the support you give the core team and each other continue to make the Dancer2 community great.

Just a reminder, the Dancer conference in Vienna, Austria is quickly approaching. If you are interested in attending or giving a talk, please visit the conference website.

Happy dancing!

Dancer2 0.201000 Released

Dancer 2 0.201000 is on its way to a CPAN mirror near you.

The Dancer Core Developers are sad to announce the retirement of David Golden (xdg) from the core team. Dancer2 was made much better by his many contributions, and we are extremely grateful for all he has done.

We’d also like to announce the addition of Peter Mottram (SysPete) to the core team. SysPete has been working quietly behind the scenes on a number of projects, but has been a valuable member of the core team for some time now, and we are happy to have him aboard.

The core developers would most importantly like to give thanks to our awesome community for the numerous contributions towards this release. You rock!

We realize the long delay between releases in leading up to 0.200000, and it is our sincere hope to not go so long between releases in the future. The upgrade to Plugin2 was extremely long and complicated, but the core team is hopeful to get to a more regular release cycle going forward.

If you have any questions, please find us on #dancer on irc.perl.org.

The full changelog is as follows:

0.201000  2016-07-22 08:26:18-05:00 America/Chicago

    [ BUG FIXES ]
    * GH #1216: Make DSL work in edge-case of plugins calling DSL before the
      app class loaded Dancer2. (Sawyer X)
    * GH #1210: Show proper module/line number in log output (Masaaki Saito)

    [ ENHANCEMENTS ]
    * GH #900: Switch from to_json to encode/encode_json (Nuno Ramos Carvalho)
    * GH #1196: Move serializer from JSON to JSON::MaybeXS (Nuno Ramos Carvalho)
    * GH #1215: Remove unused DANCER2_SHARE_DIR env variable (Jason A. Crome)

    [ DOCUMENTATION ]
    * PR #1213: Clarify params merging docs and related examples
      (Daniel Perrett)
    * Add Peter Mottram (@SysPete) to list of core developers. (Russell Jenkins)
    * PR #1208: Introduce appdir before it's used; simplify description of what
      a view is (James E Keenan)
    * GH #1218: By request, remove David Golden from list of core developers. 
      Created "emeritus" section to honor the contributions of former core 
      developers. Thanks, xdg!

Dancer 0.200003 Released

Dancer 0.200003 is on its way to a CPAN mirror near you. I'd like to give a big shout out to the rest of the Dancer core team and our awesome community members for their work in bringing this release to fruition.

There are several changes in particular worth noting:

- There is a security fix for Dancer2::Session::YAML that prevents accepting a bad session cookie value from the client. Thanks SysPete!

- There was a swift response to the breakage caused by YAML 1.16. Originally, we patched Dancer2 to requi…

Support PerlDancer.... get a book!

Do you use Dancer? Even if you don't, want to help one of the most awesome projects in the Perl community grow and reach a wider audience? You can, and you can get a copy of the book we're writing for helping us out.

It's simple: go to https://www.kickstarter.com/projects/1856511822/perldancer-book and help fund our project. Not only will you get credited for your contribution in the book, you get a copy of the book for backing us too!

Help the Dancer devs bring D…