Security Advisories (3)

CPANSA-Plack-2015-0202 (2015-02-02)

Fixed a possible directory traversal with Plack::App::File on Win32.

CPANSA-Plack-2014-0801 (2014-08-01)

Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files

https://github.com/plack/Plack/pull/446

CVE-2026-7381 (2026-04-29)

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

NAME

Plack::Loader::Delayed - Delay the loading of .psgi until the first run

SYNOPSIS

plackup -s Starlet -L Delayed myapp.psgi

DESCRIPTION

This loader delays the compilation of specified PSGI application until the first request time. This prevents bad things from happening with preforking web servers like Starlet, when your application manipulates resources such as sockets or database connections in the master startup process and then shared by children.

You can combine this loader with -M command line option, like:

plackup -s Starlet -MCatalyst -L Delayed myapp.psgi

loads the module Catalyst in the master process for the better process management with copy-on-write, however the application myapp.psgi is loaded per children.

Starman since version 0.2000 loads this loader by default unless you specify the command line option --preload-app for the starman executable.

DEVELOPERS

Web server developers can make use of psgi_app_builder attribute callback set in Plack::Handler, to load the application earlier than the first request time.

AUTHOR

Tatsuhiko Miyagawa

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

DEVELOPERS

AUTHOR

SEE ALSO

Module Install Instructions

Keyboard Shortcuts