Security Advisories (3)

CPANSA-Plack-2015-0202 (2015-02-02)

Fixed a possible directory traversal with Plack::App::File on Win32.

CPANSA-Plack-2014-0801 (2014-08-01)

Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files

https://github.com/plack/Plack/pull/446

CVE-2026-7381 (2026-04-29)

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

NAME

Plack::Middleware::AccessLog::Timed - Logs requests with time and accurate body size

SYNOPSIS

# in app.psgi
use Plack::Builder;

builder {
    enable "Plack::Middleware::AccessLog::Timed",
        format => "%v %h %l %u %t \"%r\" %>s %b %D";
    $app;
};

DESCRIPTION

Plack::Middleware::AccessLog::Timed is a subclass of Plack::Middleware::AccessLog but uses a wrapped body handle to get the actual response body size %b (even if it's not a chunk of array or a real filehandle) and the time taken to serve the request: %T or %D.

This wraps the response body output stream to capture the time taken for the PSGI server to read the whole response body.

This would mean, if the middlware is in use, it will prevent some server-side optimizations like sendfile(2) from working, as well as middleware like Plack::Middleware::ContentLength can't guess the body size out of the file handle.

If all you want is to capture the time taken in your PSGI application and do not want the wrapped body behavior described above, consider instead applying Plack::Middleware::Runtime and using Plack::Middleware::AccessLog to log the X-Runtime header.

CONFIGURATION

Same as Plack::Middleware::AccessLog.

AUTHOR

Tatsuhiko Miyagawa

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

CONFIGURATION

AUTHOR

SEE ALSO

Module Install Instructions

Keyboard Shortcuts