[Dancer-users] security release 1.3071

Alexis Sukrieh sukria at sukria.net
Thu Jul 28 12:48:16 CEST 2011


Hello fellow Dancers.

We've been notified about a security issue that affects Dancer 1.3070.

Indeed, since 1.3070, it was possible to abuse the static file serving 
feature to obtain files from a directory immediately above the directory 
configured to serve static files from.

This issue has been reported by Vladimir Lettiev and fixed by David 
Precious. Note that we've added more tests in the suite to make sure 
this issue cannot come back in future releases.

I've published a security release yesterday: 1.3071 which provides the 
very patch needed to solve the issue. Also be aware that the diff 
between 1.3070 and 1.3071 is minimal, it only provides the security fix:
http://search.cpan.org/diff?from=Dancer-1.3070&to=Dancer-1.3071

We strongly advice you to upgrade to 1.3071 if you're running under 
1.3070 in production.

http://search.cpan.org/CPAN/authors/id/S/SU/SUKRIA/Dancer-1.3071.tar.gz

Thanks for your trust, and happy dancing.


-- 
Alexis Sukrieh                -+-                Hackers gonna hack!

“The problem with quotes on the Internet is that you can't always be
sure of their authenticity.” -- Abraham Lincoln

http://sukria.net                           http://twitter.com/sukria


More information about the Dancer-users mailing list