/ 
Plack-1.0053
⭐ Starred 488 / Plack::Handler::HTTP::Server::PSGI
Security Advisories (1)
CVE-2026-7381 (2026-04-29)

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

NAME

Plack::Handler::HTTP::Server::PSGI - adapter for HTTP::Server::PSGI

SYNOPSIS

% plackup -s HTTP::Server::PSGI \
    --host 127.0.0.1 --port 9091 --timeout 120

BACKWARD COMPATIBLITY

Since Plack 0.99_22 this handler doesn't support preforking configuration i.e. --max-workers. Use Starman or Starlet if you need preforking PSGI web server.

CONFIGURATIONS

host

Host the server binds to. Defaults to all interfaces.

port

Port number the server listens on. Defaults to 8080.

timeout

Number of seconds a request times out. Defaults to 300.

max-reqs-per-child

Number of requests per worker to process. Defaults to 100.

AUTHOR

Kazuho Oku

Tatsuhiko Miyagawa

SEE ALSO

Plack HTTP::Server::PSGI