Security Advisories (1)

CVE-2025-40925 (2025-09-20)

Starch versions 0.14 and earlier generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Starch::Manager - Entry point for accessing Starch state objects.

SYNOPSIS

See Starch.

DESCRIPTION

This module provides a generic interface to managing the storage of state data.

Typically you will be using the Starch module to create this object.

This class supports method proxies as described in "METHOD PROXIES" in Starch.

REQUIRED ARGUMENTS

store

The Starch::Store storage backend to use for persisting the state data. A hashref must be passed and it is expected to contain at least a class key and will be converted into a store object automatically.

The class can be fully qualified, or relative to the Starch::Store namespace. A leading :: signifies that the store's package name is relative.

More information about stores can be found at "STORES" in Starch.

OPTIONAL ARGUMENTS

expires

How long, in seconds, a state should live after the last time it was modified. Defaults to 60 * 60 * 2 (2 hours).

See "EXPIRATION" in Starch for more information.

plugins

Which plugins to apply to the Starch objects, specified as an array ref of plugin names. The plugin names can be fully qualified, or relative to the Starch::Plugin namespace. A leading :: signifies that the plugin's package name is relative.

Plugins can modify nearly any functionality in Starch. More information about plugins, as well as which plugins are available, can be found at "PLUGINS" in Starch.

namespace

The root namespace to put starch data in. In most cases this is just prepended to the state ID and used as the key for storing the state data. Defaults to starch-state.

key_separator

Used by "stringify_key" to combine the state namespace and ID. Defaults to :.

expires_state_key

The state key to store the "expires" in Starch::State value in. Defaults to __STARCH_EXPIRES__.

modified_state_key

The state key to store the "modified" in Starch::State value in. Defaults to __STARCH_MODIFIED__.

created_state_key

The state key to store the "created" in Starch::State value in. Defaults to __STARCH_CREATED__.

invalid_state_key

This key is used by stores to mark state data as invalid, and when set in the state will disable the state from being written to the store. Defaults to __STARCH_INVALID__.

This is used by the Starch::Plugin::LogStoreExceptions and Starch::Plugin::ThrottleStore plugins to avoid losing state datain the store when errors or throttling is encountered.

REQUIRED ARGUMENTS

factory

The underlying Starch::Factory object which manages all the plugins and state/store object construction.

This argument is automatically set when calling new on Starch.

METHODS

state

my $new_state = $starch->state();
my $existing_state = $starch->state( $id );

Returns a new Starch::State (or whatever "state_class" in Starch::Factory returns) object for the specified state ID.

If no ID is specified, or is undef, then an ID will be automatically generated.

Additional arguments can be passed after the ID argument. These extra arguments will be passed to the state object constructor.

stringify_key

my $store_key = $starch->stringify_key(
    $state_id,
    \@namespace,
);

This method is used by stores that store and lookup data by a string (all of them at this time). It combines the state ID with the "namespace" of the key data for the store request.

clone_data

Clones complex perl data structures. Used internally to build "data" in Starch::State from "original_data" in Starch::State.

is_data_diff

Given two bits of data (scalar, array ref, or hash ref) this returns true if the data is different. Used internally by "is_dirty" in Starch::State.

AUTHORS AND LICENSE

See "AUTHOR" in Starch, "CONTRIBUTORS" in Starch, and "LICENSE" in Starch.

To install Starch, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Starch

CPAN shell

perl -MCPAN -e shell
install Starch

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

REQUIRED ARGUMENTS

store

OPTIONAL ARGUMENTS

expires

plugins

namespace

key_separator

expires_state_key

modified_state_key

created_state_key

invalid_state_key

REQUIRED ARGUMENTS

factory

METHODS

state

stringify_key

clone_data

is_data_diff

AUTHORS AND LICENSE

Module Install Instructions

Keyboard Shortcuts