[dancer-users] Dancer::Plugin::SimpleCRUD security update
davidp at preshweb.co.uk
Sun May 6 20:12:48 BST 2018
Importance notice for anyone using Dancer::Plugin::SimpleCRUD - if you
use the `auth` option to control access to the CRUD interface/routes
via DPAE, then please update to 1.15 immediately; previous versions
contain a security vulnerability as a result of incorrect calls to
_ensure_auth(), meaning that only some routes are correctly protected,
and some others aren't.
Full details can be see in PR #109 which fixes this problem:
This is a pretty embarassing fuckup - a security problem on one of my
projects. I hold my hands up and apologise to anyone affected by this,
for this is a stupid mistake. A better test suite would have caught
I'm not sure if a CVE ID is warranted or not, but I have submitted a
request for one via Distributed Weakness Filing Project, so they can
decide if one is required for this or not.
So, again, please upgrade immediately if you rely on the `auth` option,
Also, many many thanks to Josh Rabinowitz (joshrabinowitz) for finding
this problem and submitting a test which illustrates it.
Dave P (bigpresh)
More information about the dancer-users