realflash
commented
4 years ago Thanks for letting me know. Happy to get a new release out. Can you patch and do a pull request? I wouldn't feel confident that I had correctly handled the issue.
Open bigpresh opened 4 years ago
realflash
commented
4 years ago Thanks for letting me know. Happy to get a new release out. Can you patch and do a pull request? I wouldn't feel confident that I had correctly handled the issue.
A potential security vulnerability has been reported in Dancer1 with regards to handling XML with external entities: https://github.com/PerlDancer/Dancer/pull/1216
I haven't had time to closely verify, but I believe the same most likely will apply to Dancer2::Serializer::XML.
I tried reporting this directly via email first, but your @cpan.org address bounced.
Do you still actively maintain the distribution, and would you be able to apply a similar fix here to the one proposed in the above linked pull request to Dancer1 and get a new release out?
If you do not have time to maintain it any more, as part of the Dancer core dev team I'd be willing to adopt it and get a new release out, as I imagine some people do depend on it and I'd not want those Dancer2 users to be left vulnerable.