[dancer-users] Dancer 1.3400 released to CPAN - security fix, bugfixes and minor improvements

David Precious davidp at preshweb.co.uk
Fri Jun 15 23:30:48 BST 2018 

Hi all,

I'm pleased to say Dancer 1.3400 has just been released to CPAN.

it contains one security-related improvement, several bugfixes, and a
couple of minor enhancements.

Nothing groundbreaking, but the security update is worth updating for
if you use a session engine where the session ID from the client is
used in a way where injection is possible.

One thing to be aware of is the changes to how request->body gets you
the raw request.  In the past, we used to keep a copy of the request
body in RAM, which could of course be very inefficient for huge
requests. In PR #1134, I stopped us doing so, replacing request->body
with a convenience method which would read & return the body from the
temp file that HTTP::Body writes it to, so if you need the raw body,
you can still get it, but otherwise don't have the RAM overhead.
*However*, that led to confusion, because HTTP::Body only keeps the raw
request body in a temp file for certain types of request.

So, now, we have a new setting, raw_request_body_in_ram, which controls
the original "keep a copy of the request body as we parse it"
behaviour.  If it's true, then a copy is kept, you suffer the memory
hit, but request->body will always return you the raw request body.  If
you don't need access to it, though, set that setting to false and
enjoy lower memory usage.

For more details see https://github.com/PerlDancer/Dancer/pull/1178

Summary of changes:

[SECURITY]

 - Validate session IDs read from client - GH #1172 - potential security
   risk if the session provider in use passes the session ID in a way
   where injection is possible.


[BUGFIXES]

 - Avoid accidental route matches if a previous successful match had
 left %+ populated (GH 1187, PR 1188, bigpresh, reported by skington)

 - Avoid request body truncation in hand-assembled requests in tests (PR
   1148, skington)

 - require MIME::Types 2.17, as 2.16 has some funny ideas, like
responding to a ZIP file with 'application/vnd.easykaraoke.cdgdownload'

 - Fix YAML-related test failures if YAML::XS not installed
   (GH 1184, PR 1189, bigpresh)

 - Avoid tests failing when "localhost" doesn't resolve (PR 1142,
gbarco)

 - Avoid test failures due to race condition in selecting a port to
listen on by using 127.0.0.10 instead (more of a hacky workaround than
a fix, but should help (bigpresh)

 - Try to use 127.0.0.11 for listen tests, fall back to 127.0.0.1
   on systems that don't have 127/8, e.g. FreeBSD (GH 1183, PR 1185,
 bigpresh)

 - More temp directory handling fixes (Issue #1147)

 - Fix YAML session handler under taint mode (chrisjrob)


[ENHANCEMENTS]

 - Let Dancer::Test::dancer_response() handle supplying multiple params
   with the same name - Issue 1116 (bigpresh)

 - Add environment var hint to cookbook (PR 1161, castaway)

 - Make it possible to switch out YAML for YAML::XS for config parsing
 and serialisation (there was already an attempt at this in place, and
 it was documented as posisble, but didn't work) (PR 1164, 1nickt)

 - New test method response_redirect_like (PR 1159, 1nickt)

 - New config option raw_request_body_in_ram, which controls whether the
   raw request body is available via request->body or not.  See Issue
 #1140 for the problems the previous approach, of getting it from the
 temp file that HTTP::Body might (or might not) have written it to.

 - Better doc for forward_for_address (PR 1146, Relequestual)



Cheers

Dave P

More information about the dancer-users mailing list