Security Advisories (4)

CPANSA-Plack-2015-0202 (2015-02-02)

Fixed a possible directory traversal with Plack::App::File on Win32.

CPANSA-Plack-2014-0801 (2014-08-01)

Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files

https://github.com/plack/Plack/pull/446

CPANSA-Plack-2013-0131 (2013-01-31)

Fixed directory traversal bug in Plack::App::File on win32 environments

CVE-2026-7381 (2026-04-29)

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

NAME

Plack::Loader::Shotgun - forking implementation of plackup

SYNOPSIS

plackup -L Shotgun

DESCRIPTIOM

Shotgun loader delays the compilation and execution of your application until the runtime. When a new request comes in, this forks a new child, compiles your code and runs the application.

This should be an ultimate alternative solution when reloading with Plack::Middleware::Refresh doesn't work, or plackup's default -r filesystem watcher causes problems. I can imagine this is useful for applications which expects their application is only evaluated once (like in-file templates) or on operating systems with broken fork implementation, etc.

This is much like good old CGI's fork and run but you don't need a web server, and there's a benefit of preloading modules that are not likely to change. For instance if you develop a web application using Moose and DBIx::Class,

plackup -MMoose -MDBIx::Class -L Shotgun yourapp.psgi

would preload those modules and only re-evaluates your code in every request.

AUTHOR

Tatsuhiko Miyagawa with an inspiration from http://github.com/rtomayko/shotgun

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTIOM

AUTHOR

SEE ALSO

Module Install Instructions

Keyboard Shortcuts