Security Advisories (2)

CVE-2026-5080 (2026-04-30)

Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely. The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times. The path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations. The epoch time can be guessed by an attacker, and may be leaked in the HTTP header. The process id comes from a small set of numbers, and workers may have sequential process ids. The built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications. Predictable session ids could allow an attacker to gain access to systems.

CVE-2012-5572 (2014-05-30)

CRLF injection vulnerability in the cookie method allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a cookie name.

NAME

Dancer::Logger::Abstract - Abstract logging engine for Dancer

SYNOPSIS

In your configuration file:

# default
logger_format: simple
# [1234] debug @0.12> [hit #123]message from your log in File.pm line 12

# custom
logger_format: %m %{%H:%M}t [%{accept_type}h]
# message from your log [11:59] [text/html]

DESCRIPTION

This is an abstract logging engine that provides loggers with basic functionality and some sanity checking.

CONFIGURATION

logger_format

This is a format string (or a preset name) to specify the log format.

The possible values are:

%h: host emiting the request
%t: date (formated like %d/%b/%Y %H:%M:%S)
%P: PID
%L: log level
%D: timer
%m: message
%f: file name that emit the message
%l: line from the file
%i: request ID
%{$fmt}t: timer formatted with a valid time format
%{header}h: header value

There is two preset possible:

simple: will format the message like: [%P] %L @%D> %m in %f l. %l
with_id: will format the message like: [%P] %L @%D> [hit #%i] %m in %f l. %l

METHODS

format_message

Provides a common message formatting.

core

Logs messages as core.

debug

Logs messages as debug.

warning

Logs messages as warning.

error

Logs messages as error.

_log

A method to override. If your logger does not provide this, it will cause the application to die.

_should

Checks a certain level number against a certain level type (core, debug, warning, error).

AUTHOR

Alexis Sukrieh

LICENSE AND COPYRIGHT

This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.

See http://dev.perl.org/licenses/ for more information.

To install Dancer, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Dancer

CPAN shell

perl -MCPAN -e shell
install Dancer

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)