Hi all, Importance notice for anyone using Dancer::Plugin::SimpleCRUD - if you use the `auth` option to control access to the CRUD interface/routes via DPAE, then please update to 1.15 immediately; previous versions contain a security vulnerability as a result of incorrect calls to _ensure_auth(), meaning that only some routes are correctly protected, and some others aren't.
Full details can be see in PR #109 which fixes this problem: https://github.com/bigpresh/Dancer-Plugin-SimpleCRUD/pull/109 This is a pretty embarassing fuckup - a security problem on one of my projects. I hold my hands up and apologise to anyone affected by this, for this is a stupid mistake. A better test suite would have caught this. I'm not sure if a CVE ID is warranted or not, but I have submitted a request for one via Distributed Weakness Filing Project, so they can decide if one is required for this or not. So, again, please upgrade immediately if you rely on the `auth` option, and sorry. Also, many many thanks to Josh Rabinowitz (joshrabinowitz) for finding this problem and submitting a test which illustrates it. Cheers Dave P (bigpresh) _______________________________________________ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
