Security Advisories (4)

CPANSA-Plack-2015-0202 (2015-02-02)

Fixed a possible directory traversal with Plack::App::File on Win32.

CPANSA-Plack-2014-0801 (2014-08-01)

Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files

https://github.com/plack/Plack/pull/446

CPANSA-Plack-2013-0131 (2013-01-31)

Fixed directory traversal bug in Plack::App::File on win32 environments

CVE-2026-7381 (2026-04-29)

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

NAME

Plack::App::CGIBin - cgi-bin replacement for Plack servers

SYNOPSIS

use Plack::App::CGIBin;
use Plack::Builder;

my $app = Plack::App::CGIBin->new(root => "/path/to/cgi-bin")->to_app;
builder {
    mount "/cgi-bin" => $app;
};

# Or from the command line
plackup -MPlack::App::CGIBin -e 'Plack::App::CGIBin->new(root => "/path/to/cgi-bin")->to_app'

DESCRIPTION

Plack::App::CGIBin allows you to load CGI scripts from a directory and convert them into a (persistent) PSGI application. This application uses CGI::Compile to compile a cgi script into a sub (like ModPerl::Registry) and then run it using CGI::Emulate::PSGI.

This would give you the extreme easiness when you have bunch of old CGI scripts that is loaded using cgi-bin of Apache web server.

This module does not (yet) stat files nor recompile files on every request for the interest of performance. You need to restart the server process to reflect the changes to the CGI scripts.

See also Plack::App::WrapCGI if you compile one CGI script into a PSGI application without serving CGI scripts from a directory, to remove overhead of filesystem lookups, etc.

AUTHOR

Tatsuhiko Miyagawa

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

AUTHOR

SEE ALSO

Module Install Instructions

Keyboard Shortcuts