/ 
Plack-1.0001
⭐ Starred 488
/ Plack::Middleware::AccessLog
Security Advisories (4)
CPANSA-Plack-2015-0202 (2015-02-02)

Fixed a possible directory traversal with Plack::App::File on Win32.

CPANSA-Plack-2014-0801 (2014-08-01)

Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files

CPANSA-Plack-2013-0131 (2013-01-31)

Fixed directory traversal bug in Plack::App::File on win32 environments

CVE-2026-7381 (2026-04-29)

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

NAME

Plack::Middleware::AccessLog - Logs requests like Apache's log format

SYNOPSIS

# in app.psgi
use Plack::Builder;

builder {
    enable "Plack::Middleware::AccessLog", format => "combined";
    $app;
};

DESCRIPTION

Plack::Middleware::AccessLog forwards the request to the given app and logs request and response details to the logger callback. The format can be specified using Apache-like format strings (or combined or common for the default formats). If none is specified combined is used.

This middleware uses calculable content-length by checking body type, and can not log the time taken to serve requests. It also logs the request before the response is actually sent to the client. Use Plack::Middleware::AccessLog::Timed if you want to log details after the response is transmitted (more like a real web server) to the client.

This middleware is enabled by default when you run plackup as a default development environment.

CONFIGURATION

format
enable "Plack::Middleware::AccessLog",
    format => '%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"';

Takes a format string (or a preset template combined or custom) to specify the log format. This middleware implements a subset of Apache's LogFormat templates:

%%    a percent sign
%h    REMOTE_ADDR from the PSGI environment, or -
%l    remote logname not implemented (currently always -)
%u    REMOTE_USER from the PSGI environment, or -
%t    [local timestamp, in default format]
%r    REQUEST_METHOD, REQUEST_URI and SERVER_PROTOCOL from the PSGI environment
%s    the HTTP status code of the response
%b    content length
%T    custom field for handling times in subclasses
%D    custom field for handling sub-second times in subclasses
%v    SERVER_NAME from the PSGI environment, or -
%V    HTTP_HOST or SERVER_NAME from the PSGI environment, or -

Some of these format fields are only supported by middleware that subclasses AccessLog.

In addition, custom values can be referenced, using %{name}, with one of the mandatory modifier flags i, o or t:

%{variable-name}i    HTTP_VARIABLE_NAME value from the PSGI environment
%{header-name}o      header-name header
%{time-format]t      localtime in the specified strftime format
logger
my $logger = Log::Dispatch->new(...);
enable "Plack::Middleware::AccessLog",
    logger => sub { $logger->log(level => 'debug', message => @_) };

Sets a callback to print log message to. It prints to psgi.errors output stream by default.

SEE ALSO

http://httpd.apache.org/docs/2.2/mod/mod_log_config.html Rack::CustomLogger