Security Advisories (1)

CVE-2026-7381 (2026-04-29)

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

NAME

Plack::Middleware::XSendfile - Sets X-Sendfile (or a like) header for frontends

SYNOPSIS

enable "Plack::Middleware::XSendfile";

DESCRIPTION

When the body is a blessed reference with a path method, then the return value of that method is used to set the X-Sendfile header.

The body is set to an empty list, and the Content-Length header is set to 0.

If the X-Sendfile header is already set, then the body and Content-Length will be untouched.

You should use IO::File::WithPath or Plack::Util's set_io_path to add path method to an IO object in the body.

See http://github.com/rack/rack-contrib/blob/master/lib/rack/contrib/sendfile.rb for the frontend configuration.

Plack::Middleware::XSendfile does not set the Content-Type header.

CONFIGURATION

variation

The header tag to use. If unset, the environment key plack.xsendfile.type will be used, then the HTTP_X_SENDFILE_TYPE header.

Supported values are:

X-Accel-Redirect
X-Lighttpd-Send-File
X-Sendfile.

An unsupport value will log an error.

AUTHOR

Tatsuhiko Miyagawa

To install Plack, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Plack

CPAN shell

perl -MCPAN -e shell
install Plack

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

CONFIGURATION

AUTHOR

Module Install Instructions

Keyboard Shortcuts