Dancer2 0.206000 released, addresses potential security issues
Dancer2 0.206000 has been released, and it is recommended that all users of Dancer2 should upgrade as soon as it is feasible to address several potential security issues:
There is a potential RCE with regards to Storable. We have added session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE. Please see the Storable documentation for more information.
We have changed from
HTTP::Entity::Parser(the same as Plack uses) for parsing requests. Apart from being faster, this change also resolves a situation when forwarding requests where the request body could be re-parsed without correctly seeking a filehandle to the beginning of the request body, potentially resulting in an infinite loop. The implementation using
HTTP::Entity::Parserdoes not require the request body to be re-parsed. This addresses a potential DoS attack vector.
In addition to the security fixes, this release offers a number of bug fixes and documentation enhancements. Thanks to all who contributed, both old and new. The complete changelog is as follows:
0.206000 2018-04-19 22:09:46-04:00 America/New_York [ BUG FIXES ] * GH #1090, #1406: Replace HTTP::Body with HTTP::Entity::Parser in Dancer2::Core::Request. (Russell @veryrusty Jenkins) * GH #1292: Fix multiple attribute definitions within Plugins (Nigel Gregoire) * GH #1304: Fix the order by which config files are loaded, independently of their filename extension (Alberto Simões, Russell @veryrusty Jenkins) * GH #1400: Fix infinite recursion with exceptions that use circular references. (Andre Walker) * GH #1430: Fix `dancer2 gen` from source directory when Dancer2 not installed. (Tina @perlpunk Müller - Tina) * GH #1434: Add `validate_id` method to verify a session id before requesting the session engine fetch it from its data store. (Russell @veryrusty Jenkins) * GH #1435, #1438: Allow XS crush_cookie methods to return an arrayref of values. (Russell @veryrusty Jenkins) * GH #1443: Update copyright year (Joseph Frazer) * GH #1445: Use latest HTTP::Headers::Fast (Russell @veryrusty Jenkins) * PR #1447: Fix missing build requires (Mohammad S Anwar) [ ENHANCEMENTS ] * PR #1354: TemplateToolkit template engine will log (at debug level) if a template is not found. (Kiel R Stirling, Russell @veryrusty Jenkins) * GH #1432: Support Content-Disposition of inline in send_file() (Dave Webb) * PR #1433: Verbose testing in AppVeyor (Graham Knop) [ DOCUMENTATION ] * GH #1314: Documentation tweaks (David Precious) * GH #1317: Document serializer configuration (sdeseille) * GH #1386: Add Hello World example (Gabor Szabo) * PR #1408: List project development resources (Steve Dondley) * PR #1426: Move performance improvement information from Migration guide to Deployment (Pedro Melo)
Thank you to our outstanding community and contributors. Keep on dancing!
Leave a comment