/ 
Starch-0.05
⭐ Starred 3 / Starch::Plugin::TimeoutStore
Security Advisories (1)
CVE-2025-40925 (2025-09-20)

Starch versions 0.14 and earlier generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

NAME

Starch::Plugin::TimeoutStore - Throw an exception if store access surpass a timeout.

SYNOPSIS

my $starch = Starch->new(
    plugins => ['::TimeoutStore'],
    store => {
        class => '::Memory',
        timeout => 0.001, # 1 millisecond
    },
    ...,
);

DESCRIPTION

This plugin causes all calls to set, get, and remove to throw an exception if they surpass a timeout period.

The timeout is implemented using the alarm function and a localized $SIG{ALRM} handler. Some stores implement timeouts themselves and their native implementation is often better than this naive implementation.

The whole point of detecting timeouts is so that you can still serve a web page even if the underlying store backend is failing, so using this plugin with Starch::Plugin::LogStoreExceptions is probably a good idea.

Note that this plugin does not behave well on Perl 5.8 or older and will error if you try to use it on a version of Perl older than 5.10. The rest of Starch works well on 5.8 and up.

OPTIONAL STORE ARGUMENTS

These arguments are added to classes which consume the Starch::Store role.

timeout

How many seconds to timeout. Set to 0 to disable timeout checking. Defaults to 0.

AUTHORS AND LICENSE

See "AUTHOR" in Starch, "CONTRIBUTORS" in Starch, and "LICENSE" in Starch.