[dancer-users] Potential security issues fixed in recent releases

Russell Jenkins russell.jenkins at strategicdata.com.au
Tue Jun 16 03:16:13 BST 2015

Hello fellow Dancers.

We've been notified about a potential security issue that affects both 
Dancer and Dancer2.

For releases up to
   * Dancer  v1.3136, or
   * Dancer2 v0.160001
it was possible to abuse session cookie values so that file-based 
session stores
such as Dancer::Session::YAML or Dancer2::Session::YAML would attempt to
read/write from any file on the filesystem with the same extension the 
store uses, such as '*.yml' for the YAML stores.

The issue was reported by Andrew Beverley and fixed in the following 
   * Dancer  v1.3138    (Yanick Champoux)
   * Dancer2 v0.160002  (Russell Jenkins)
The updated packages are now available from your favorite CPAN mirror.

The file-based session stores are intended to be used for prototyping 
and testing.
While we do not recommend using file-based session stores in production, 
may be single-machine production environments where they are useful. If 
you are
using any of the file-based session stores in production, we strongly 
advise you
to upgrade.

Thanks for your trust, and happy dancing!

   Sawyer, Yanick & Russell.

More information about the dancer-users mailing list