Dancer2 0.206000 released, addresses potential security issues

Dancer2 0.206000 has been released, and it is recommended that all users of Dancer2 should upgrade as soon as it is feasible to address several potential security issues:

  • There is a potential RCE with regards to Storable. We have added session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE. Please see the Storable documentation for more information.

  • We have changed from HTTP::Body to HTTP::Entity::Parser (the same as Plack uses) for parsing requests. Apart from being faster, this change also resolves a situation when forwarding requests where the request body could be re-parsed without correctly seeking a filehandle to the beginning of the request body, potentially resulting in an infinite loop. The implementation using HTTP::Entity::Parser does not require the request body to be re-parsed. This addresses a potential DoS attack vector.

In addition to the security fixes, this release offers a number of bug fixes and documentation enhancements. Thanks to all who contributed, both old and new. The complete changelog is as follows:

0.206000  2018-04-19 22:09:46-04:00 America/New_York

[ BUG FIXES ]
* GH #1090, #1406: Replace HTTP::Body with HTTP::Entity::Parser in
  Dancer2::Core::Request. (Russell @veryrusty Jenkins)
* GH #1292: Fix multiple attribute definitions within Plugins
  (Nigel Gregoire)
* GH #1304: Fix the order by which config files are loaded, independently
  of their filename extension (Alberto Simões, Russell @veryrusty Jenkins)
* GH #1400: Fix infinite recursion with exceptions that use circular
  references. (Andre Walker)
* GH #1430: Fix `dancer2 gen` from source directory when Dancer2 not
  installed. (Tina @perlpunk Müller - Tina)
* GH #1434: Add `validate_id` method to verify a session id before
  requesting the session engine fetch it from its data store.
  (Russell @veryrusty Jenkins)
* GH #1435, #1438: Allow XS crush_cookie methods to return an arrayref
  of values. (Russell @veryrusty Jenkins)
* GH #1443: Update copyright year (Joseph Frazer)
* GH #1445: Use latest HTTP::Headers::Fast (Russell @veryrusty Jenkins)
* PR #1447: Fix missing build requires (Mohammad S Anwar)

[ ENHANCEMENTS ]
* PR #1354: TemplateToolkit template engine will log (at debug level)
  if a template is not found. (Kiel R Stirling, Russell @veryrusty Jenkins)
* GH #1432: Support Content-Disposition of inline in
  send_file() (Dave Webb)
* PR #1433: Verbose testing in AppVeyor (Graham Knop)

[ DOCUMENTATION ]
* GH #1314: Documentation tweaks (David Precious)
* GH #1317: Document serializer configuration (sdeseille)
* GH #1386: Add Hello World example (Gabor Szabo)
* PR #1408: List project development resources (Steve Dondley)
* PR #1426: Move performance improvement information from Migration guide
  to Deployment (Pedro Melo)

Thank you to our outstanding community and contributors. Keep on dancing!

CromeDome

Leave a comment

About Jason A. Crome

user-pic Dancer developer, pilot, and hockey player.