Dancer2 0.203000 improves session security, fixes decoding bugs

By Jason A. Crome on August 25, 2016 4:39 AM

Dancer2 0.203000 is on its way to a CPAN mirror near you. This version brings some important security improvements and bugfixes:

It is considered good security practice to change a session ID whenever any change in privilege level occurs (such as logging into an app). Not only is this a good practice, but it is a requirement of some established security standards. To account for this, a new method, change_session_id() was added to make it easy for developers to issue a new session ID on privilege change.

At some point in the not-too-distant future, session drivers will be required to implement a _change_id() method to support this. In the meantime, Dancer2 will perform the operation for session drivers that lack this method.

Thanks to Ctrl O and InfoSaaS for sponsoring SysPete’s work on this important functionality!

An error made it possible for a request to have serialized data that wouldn’t be deserialized into body_parameters if any middleware had previously created a Plack::Request object and parsed the request body. A bugfix by veryrusty forces deserialization of body data even when an existing Plack::Request object has already parsed the request body.
A bug introduced in Dancer2 0.200000 was double-decoding deserialized data. This has been fixed.
Three functions were introduced for developer convenience: code_mapping(), status_mapping() and all_mappings(). These methods allow your code to access copies of Dancer’s HTTP_CODES table, rather than having to copy the table for your own use. See the docs for Dancer2::Core::HTTP for more information.
Several documentation improvements were made by Racke, including documentation of a session’s data() method.

The full changelog is as follows:

0.203000  2016-08-24 22:09:56-05:00 America/Chicago

[ BUG FIXES ]
* GH #1232: Force deserialization of body data even when an existing 
  Plack::Request object has already parsed request body. Don't double
  decode deserialized data. (Russell Jenkins - @veryrusty)

[ ENHANCEMENTS ]
* GH #1195: Add change_session_id() method - both as a good security 
  practice and to comply with other established security standards.
  (Peter Mottram)
* GH #1234: Add convenience functions to access Dancer's HTTP_CODES
  table. (Yanick Champoux)

[ DOCUMENTATION ]
* Fix Typo (Stefan Hornburg - Racke)
* Document $session->data (Stefan Hornburg - Racke)

If you have any questions, please find us at irc.perl.org#dancer.

Just a reminder, the Dancer conference in Vienna, Austria is quickly approaching (it’s just a month away!). If you are interested in attending or giving a talk, please visit the conference website.

Happy Dancing!

0 comments

Tagged as:

dancer

Name

Email Address

URL

Remember personal info?

Comments (You may use HTML tags for style)

About Jason A. Crome

Dancer developer, pilot, and hockey player.

More info »

Jason A. Crome