On Jun 15, 2018, at 4:30 PM, David Precious <dav...@preshweb.co.uk> wrote: > > - Validate session IDs read from client - GH #1172 - potential security > risk if the session provider in use passes the session ID in a way > where injection is possible.
Is there a list of session providers known to do this? I don’t expect it to be complete, but I suspect that, like me, most people will have no way to evaluate whether their session providers are vulnerable. Obviously new systems still based on D1 will go out with this new version. The question is, do we go back and patch all of those already deployed? In our world, that’s not especially easy, so we’re not going to do it if we’re not actually vulnerable. _______________________________________________ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
