/ 
Dancer-1.1902 UNAUTHORIZED RELEASE
⭐ Starred 738 / Dancer::Route::Cache
Security Advisories (3)
CVE-2026-5080 (2026-04-30)

Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely. The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times. The path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations. The epoch time can be guessed by an attacker, and may be leaked in the HTTP header. The process id comes from a small set of numbers, and workers may have sequential process ids. The built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications. Predictable session ids could allow an attacker to gain access to systems.

CVE-2012-5572 (2014-05-30)

CRLF injection vulnerability in the cookie method allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a cookie name.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability (Mojolicious report, but Dancer was vulnerable as well).

NAME

Dancer::Route::Cache - route caching mechanism for Dancer

SYNOPSIS

my $cache = Dancer::Route::Cache->new(
    path_limit => 300, # optional
);

# storing a path
# /new/item/ is the path, $route is a compiled route
$cache->store_path( 'get', '/new/item/', $route );
my $cached_route = $cache->route_from_path('/new/item/');

DESCRIPTION

When Dancer first starts, it has to compile a regexp list of all the routes. Then, on each request it goes over the compiled routes list and tries to compare the requested path to a route.

A major drawback is that Dancer has to go over the matching on every request, which (especially on CGI-based applications) can be very time consuming.

The caching mechanism allows to cache some requests to specific routes (but NOT specific results) and run those routes on a specific path. This allows us to speed up Dancer quite a lot.

METHODS/SUBROUTINES

new(@args)

Creates a new route cache object.

my $cache = Dancer::Route::Cache->new(
    path_limit => 100,   # only 100 paths will be cached
    size_limit => '30M', # max size for cache is 30MB
);

Please check the ATTRIBUTES section below to learn about the arguments for new().

route_from_path($path)

Fetches the route from the path in the cache.

store_path( $method, $path => $route )

Stores the route in the cache according to the path and $method.

For developers: the reason we're using an object for this and not directly using the registry hash is because we need to enforce the limits.

parse_size($size)

Parses the size wanted to bytes. It can handle Kilobytes, Megabytes or Gigabytes.

NOTICE: handles bytes, not bits!

my $bytes = $cache->parse_size('30M');

# doesn't need an existing object
$bytes = Dancer::Route::Cache->parse_size('300G'); # works this way too

route_cache_size

Returns a rough calculation the size of the cache. This is used to enforce the size limit.

route_cache_paths

Returns all the paths in the cache. This is used to enforce the path limit.

ATTRIBUTES

size_limit($limit)

Allows to set a size limit of the cache.

Returns the limit (post-set).

$cache->size_limit('10K');      # sets limit
my $limit = $cache->size_limit; # gets limit

path_limit($limit)

A path limit. That is, the amount of paths that whose routes will be cached.

Returns the limit (post-set).

$cache->path_limit('100');      # sets limit
my $limit = $cache->path_limit; # gets limit

AUTHOR

Sawyer X

LICENSE AND COPYRIGHT

Copyright 2010 Sawyer X.

This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.

See http://dev.perl.org/licenses/ for more information.