[Dancer-users] security release 1.3071
sukria at sukria.net
Thu Jul 28 12:48:16 CEST 2011
Hello fellow Dancers.
We've been notified about a security issue that affects Dancer 1.3070.
Indeed, since 1.3070, it was possible to abuse the static file serving
feature to obtain files from a directory immediately above the directory
configured to serve static files from.
This issue has been reported by Vladimir Lettiev and fixed by David
Precious. Note that we've added more tests in the suite to make sure
this issue cannot come back in future releases.
I've published a security release yesterday: 1.3071 which provides the
very patch needed to solve the issue. Also be aware that the diff
between 1.3070 and 1.3071 is minimal, it only provides the security fix:
We strongly advice you to upgrade to 1.3071 if you're running under
1.3070 in production.
Thanks for your trust, and happy dancing.
Alexis Sukrieh -+- Hackers gonna hack!
“The problem with quotes on the Internet is that you can't always be
sure of their authenticity.” -- Abraham Lincoln
More information about the Dancer-users