On Tue, 2 Mar 2010 13:38:15 -0500 Mark Stosberg <[email protected]> wrote:
> On Thu, 25 Feb 2010 17:51:40 -0600 > P Kishor <[email protected]> wrote: > > > following Mark Stosberg's email about PSGI, I decided to poke around a > > bit more, and landed up with Dancer. Color me very impressed. > > > > Seriously, I have seldom experienced such easy *everything*. Almost > > instant installation via 'sudo cpan Dancer', a simple 'dancer -a > > myapp', and I had a working, nice looking application framework [*] > > with nice URIs and ev'ryting. > > > > So, my question is thus -- how is Dancer different from CGI::App, and > > why should I use the latter instead of the former? I asked this not > > lightly because I have many years of experience invested in C::A, but > > Dancer truly shows how apps should be. > > I had already looked at Dancer myself. As a result, you can see these > entries in the Dancer ChangeLog: > > * Security Fix: protection from CRLF injection in > response headers (thanks to Mark Stosberg for the report). > * Support for multi-valued params in GET/POST data (thanks to > Mark Stosberg for the report). > > So, in a short review, I found that it lacked support for multi-valued > params, and that it had a notable security hole. If you look into it > deeper, what else might you find? I should qualify my further comments further. CGI.pm also had a similar issue with allowing CRLF injection attacks in some cases, as did CGI::Simple. It's not what I would call a security vulnerability in any case because you have to write code that would be "tainted" for their to be a problem-- you would have to take untrusted data and use it to a build a header without first validating it. The issue with Dancer here speaks more to choice of "rolling their own" instead of re-using. So, when CGI.pm and CGI::Simple get upgraded, CGI::Application is able to take advantage of those improvements automatically, but Dancer does more in-use. That is fine if Dancer turns out to have everything correct and complete. The issue with missing support for multi-valued params I think is just a sign of it being a young and evolving project at the time I reviewed it. Mark ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################
