/ 
Plack-1.0053
⭐ Starred 488 / Plack::App::File
Security Advisories (1)
CVE-2026-7381 (2026-04-29)

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

NAME

Plack::App::File - Serve static files from root directory

SYNOPSIS

use Plack::App::File;
my $app = Plack::App::File->new(root => "/path/to/htdocs")->to_app;

# Or map the path to a specific file
use Plack::Builder;
builder {
    mount "/favicon.ico" => Plack::App::File->new(file => '/path/to/favicon.ico')->to_app;
};

DESCRIPTION

This is a static file server PSGI application, and internally used by Plack::Middleware::Static. This application serves files from the document root if the path matches with the local file. Use Plack::App::Directory if you want to list files in the directory as well.

CONFIGURATION

root

Document root directory. Defaults to . (current directory)

file

The file path to create responses from. Optional.

If it's set the application would ALWAYS create a response out of the file and there will be no security check etc. (hence fast). If it's not set, the application uses root to find the matching file.

encoding

Set the file encoding for text files. Defaults to utf-8.

content_type

Set the file content type. If not set Plack::MIME will try to detect it based on the file extension or fall back to text/plain. Can be set to a callback which should work on $_[0] to check full path file name.

AUTHOR

Tatsuhiko Miyagawa

SEE ALSO

Plack::Middleware::Static Plack::App::Directory