Plack-1.0052-TRIAL

Security Advisories (1)

CVE-2026-7381 (2026-04-29)

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

Changes for version 1.0052 - 2024-09-30

IMPROVEMENTS
- Plack::MIME: Add definitions for JPEG XL, zstd and GnuPG file extensions

Documentation

plackup

Run PSGI application with Plack handlers

Modules

HTTP::Message::PSGI

Converts HTTP::Request and HTTP::Response from/to PSGI env and response UNAUTHORIZED

HTTP::Server::PSGI

Standalone PSGI compatible HTTP server UNAUTHORIZED

Plack

Perl Superglue for Web frameworks and Web Servers (PSGI toolkit) UNAUTHORIZED

Plack::App::CGIBin

cgi-bin replacement for Plack servers UNAUTHORIZED

Plack::App::Cascade

Cascadable compound application UNAUTHORIZED

Plack::App::Directory

Serve static files from document root with directory index UNAUTHORIZED

Plack::App::File

Serve static files from root directory UNAUTHORIZED

Plack::App::PSGIBin

Run .psgi files from a directory UNAUTHORIZED

Plack::App::URLMap

Map multiple apps in different paths UNAUTHORIZED

Plack::App::WrapCGI

Compiles a CGI script as PSGI application UNAUTHORIZED

Plack::Builder

OO and DSL to enable Plack Middlewares UNAUTHORIZED

Plack::Component

Base class for PSGI endpoints UNAUTHORIZED

Plack::HTTPParser

Parse HTTP headers UNAUTHORIZED

Plack::HTTPParser::PP

Pure perl fallback of HTTP::Parser::XS UNAUTHORIZED

Plack::Handler

Connects PSGI applications and Web servers UNAUTHORIZED

Plack::Handler::Apache1

Apache 1.3.x mod_perl handlers to run PSGI application UNAUTHORIZED

Plack::Handler::Apache2

Apache 2.0 mod_perl handler to run PSGI application UNAUTHORIZED

Plack::Handler::Apache2::Registry

Runs .psgi files. UNAUTHORIZED

Plack::Handler::CGI

CGI handler for Plack UNAUTHORIZED

Plack::Handler::FCGI

FastCGI handler for Plack UNAUTHORIZED

Plack::Handler::HTTP::Server::PSGI

adapter for HTTP::Server::PSGI UNAUTHORIZED

Plack::Handler::Standalone

adapter for HTTP::Server::PSGI UNAUTHORIZED

Plack::LWPish

HTTP::Request/Response compatible interface with HTTP::Tiny backend UNAUTHORIZED

Plack::Loader

(auto)load Plack Servers UNAUTHORIZED

Plack::Loader::Delayed

Delay the loading of .psgi until the first run UNAUTHORIZED

Plack::Loader::Restarter

Restarting loader UNAUTHORIZED

Plack::Loader::Shotgun

forking implementation of plackup UNAUTHORIZED

Plack::MIME

MIME type registry UNAUTHORIZED

Plack::Middleware

Base class for easy-to-use PSGI middleware UNAUTHORIZED

Plack::Middleware::AccessLog

Logs requests like Apache's log format UNAUTHORIZED

Plack::Middleware::AccessLog::Timed

Logs requests with time and accurate body size UNAUTHORIZED

Plack::Middleware::Auth::Basic

Simple basic authentication middleware UNAUTHORIZED

Plack::Middleware::BufferedStreaming

Enable buffering for non-streaming aware servers UNAUTHORIZED

Plack::Middleware::Chunked

Applies chunked encoding to the response body UNAUTHORIZED

Plack::Middleware::Conditional

Conditional wrapper for Plack middleware UNAUTHORIZED

Plack::Middleware::ConditionalGET

Middleware to enable conditional GET UNAUTHORIZED

Plack::Middleware::ContentLength

Adds Content-Length header automatically UNAUTHORIZED

Plack::Middleware::ContentMD5

Automatically sets the Content-MD5 header on all String bodies UNAUTHORIZED

Plack::Middleware::ErrorDocument

Set Error Document based on HTTP status code UNAUTHORIZED

Plack::Middleware::HTTPExceptions

Catch HTTP exceptions UNAUTHORIZED

Plack::Middleware::Head

auto delete response body in HEAD requests UNAUTHORIZED

Plack::Middleware::IIS6ScriptNameFix

fixes wrong SCRIPT_NAME and PATH_INFO that IIS6 sets UNAUTHORIZED

Plack::Middleware::IIS7KeepAliveFix

fixes buffer being cut off on redirect when keep-alive is active on IIS. UNAUTHORIZED

Plack::Middleware::JSONP

Wraps JSON response in JSONP if callback parameter is specified UNAUTHORIZED

Plack::Middleware::LighttpdScriptNameFix

fixes wrong SCRIPT_NAME and PATH_INFO that lighttpd sets UNAUTHORIZED

Plack::Middleware::Lint

Validate request and response UNAUTHORIZED

Plack::Middleware::Log4perl

Uses Log::Log4perl to configure logger UNAUTHORIZED

Plack::Middleware::LogDispatch

Uses Log::Dispatch to configure logger UNAUTHORIZED

Plack::Middleware::NullLogger

Send logs to /dev/null UNAUTHORIZED

Plack::Middleware::RearrangeHeaders

Reorder HTTP headers for buggy clients UNAUTHORIZED

Plack::Middleware::Recursive

Allows PSGI apps to include or forward requests recursively UNAUTHORIZED

Plack::Middleware::Refresh

Refresh all modules in %INC UNAUTHORIZED

Plack::Middleware::Runtime

Sets an X-Runtime response header UNAUTHORIZED

Plack::Middleware::SimpleContentFilter

Filters response content UNAUTHORIZED

Plack::Middleware::SimpleLogger

Simple logger that prints to psgi.errors UNAUTHORIZED

Plack::Middleware::StackTrace

Displays stack trace when your app dies UNAUTHORIZED

Plack::Middleware::Static

serve static files with Plack UNAUTHORIZED

Plack::Middleware::XFramework

Sample middleware to add X-Framework UNAUTHORIZED

Plack::Middleware::XSendfile

Sets X-Sendfile (or a like) header for frontends UNAUTHORIZED

Plack::Request

Portable HTTP request object from PSGI env hash UNAUTHORIZED

Plack::Request::Upload

handles file upload requests UNAUTHORIZED

Plack::Response

Portable HTTP Response object for PSGI response UNAUTHORIZED

Plack::Runner

plackup core UNAUTHORIZED

Plack::Test

Test PSGI applications with various backends UNAUTHORIZED

Plack::Test::MockHTTP

Run mocked HTTP tests through PSGI applications UNAUTHORIZED

Plack::Test::Server

Run HTTP tests through live Plack servers UNAUTHORIZED

Plack::Test::Suite

Test suite for Plack handlers UNAUTHORIZED

Plack::Util

Utility subroutines for Plack server and framework developers UNAUTHORIZED

Plack::Util::Accessor

Accessor generation utility for Plack UNAUTHORIZED

Provides

Plack::Handler::CGI::Writer

in lib/Plack/Handler/CGI.pm UNAUTHORIZED

Plack::Recursive::ForwardRequest

in lib/Plack/Middleware/Recursive.pm UNAUTHORIZED

Plack::TempBuffer

in lib/Plack/TempBuffer.pm UNAUTHORIZED

Plack::Util::IOWithPath

in lib/Plack/Util.pm UNAUTHORIZED

Plack::Util::Prototype

in lib/Plack/Util.pm UNAUTHORIZED

Examples

Other files

To install Plack, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Plack

CPAN shell

perl -MCPAN -e shell
install Plack

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)