Dancer2 0.203000 improves session security, fixes decoding bugs
Dancer2 0.203000 is on its way to a CPAN mirror near you. This version brings some important security improvements and bugfixes:
- It is considered good security practice to change a session ID whenever any change in privilege level occurs (such as logging into an app). Not only is this a good practice, but it is a requirement of some established security standards. To account for this, a new method,
change_session_id()was added to make it easy for developers to issue a new session ID on privilege change.
At some point in the not-too-distant future, session drivers will be required to implement a
_change_id() method to support this. In the meantime, Dancer2 will perform the operation for session drivers that lack this method.
An error made it possible for a request to have serialized data that wouldn’t be deserialized into
body_parametersif any middleware had previously created a Plack::Request object and parsed the request body. A bugfix by veryrusty forces deserialization of body data even when an existing Plack::Request object has already parsed the request body.
A bug introduced in Dancer2 0.200000 was double-decoding deserialized data. This has been fixed.
Three functions were introduced for developer convenience:
all_mappings(). These methods allow your code to access copies of Dancer’s
HTTP_CODEStable, rather than having to copy the table for your own use. See the docs for
Dancer2::Core::HTTPfor more information.
Several documentation improvements were made by Racke, including documentation of a session’s
The full changelog is as follows:
0.203000 2016-08-24 22:09:56-05:00 America/Chicago [ BUG FIXES ] * GH #1232: Force deserialization of body data even when an existing Plack::Request object has already parsed request body. Don't double decode deserialized data. (Russell Jenkins - @veryrusty) [ ENHANCEMENTS ] * GH #1195: Add change_session_id() method - both as a good security practice and to comply with other established security standards. (Peter Mottram) * GH #1234: Add convenience functions to access Dancer's HTTP_CODES table. (Yanick Champoux) [ DOCUMENTATION ] * Fix Typo (Stefan Hornburg - Racke) * Document $session->data (Stefan Hornburg - Racke)
If you have any questions, please find us at irc.perl.org#dancer.
Just a reminder, the Dancer conference in Vienna, Austria is quickly approaching (it’s just a month away!). If you are interested in attending or giving a talk, please visit the conference website.