/ 
Plack-1.0052
⭐ Starred 488 / Plack::Middleware::XSendfile
Security Advisories (1)
CVE-2026-7381 (2026-04-29)

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

NAME

Plack::Middleware::XSendfile - Sets X-Sendfile (or a like) header for frontends

SYNOPSIS

enable "Plack::Middleware::XSendfile";

DESCRIPTION

When the body is a blessed reference with a path method, then the return value of that method is used to set the X-Sendfile header.

The body is set to an empty list, and the Content-Length header is set to 0.

If the X-Sendfile header is already set, then the body and Content-Length will be untouched.

You should use IO::File::WithPath or Plack::Util's set_io_path to add path method to an IO object in the body.

See https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile for frontend configuration examples.

Plack::Middleware::XSendfile does not set the Content-Type header.

FRONTEND CONFIGURATION

Nginx

Nginx supports X-Accel-Redirect. Configure an internal location and pass the X-Accel-Mapping header to the backend so the middleware can rewrite filesystem paths into internal URLs:

location ~ /files/(.*) {
    internal;
    alias /var/www/$1;
}

location / {
    proxy_pass         http://127.0.0.1:5000/;
    proxy_set_header   X-Sendfile-Type     X-Accel-Redirect;
    proxy_set_header   X-Accel-Mapping     /var/www/=/files/;
}

X-Accel-Mapping tells the middleware which filesystem prefix to replace and what internal URL prefix to use instead.

Apache

Enable mod_xsendfile (https://tn123.org/mod_xsendfile/) and set the request header so the middleware activates:

RequestHeader Set X-Sendfile-Type X-Sendfile
XSendFile on

lighttpd

proxy-core.allow-x-sendfile = "enable"
proxy-core.rewrite-request = (
    "X-Sendfile-Type" => (".*" => "X-Sendfile")
)

SECURITY

This middleware reads the X-Accel-Mapping and X-Sendfile-Type values from request headers, which are expected to be injected by a trusted frontend proxy. The Plack backend must not be directly reachable by untrusted clients. If a client can send these headers directly, they can influence which files the frontend server serves.

To defend in depth with nginx, use proxy_ignore_headers to prevent any client-supplied values from passing through, and rely solely on proxy_set_header directives in your nginx configuration to supply the correct values.

CONFIGURATION

variation

The header tag to use. If unset, the environment key plack.xsendfile.type will be used, then the HTTP_X_SENDFILE_TYPE header.

Supported values are:

  • X-Accel-Redirect

  • X-Lighttpd-Send-File

  • X-Sendfile.

An unsupport value will log an error.

AUTHOR

Tatsuhiko Miyagawa