Permalink
Switch branches/tags
Commits on Feb 9, 2018
  1. Merge pull request #1428 from ccntrq/pr/allow_disabling_of_http_only_…

    bigpresh committed Feb 9, 2018
    …cookies_using_strings
    
    allow disabling of http only cookies using strings
Commits on Jan 20, 2018
  1. Test if we can disable http_only with a string

    ccntrq committed Jan 20, 2018
  2. FIX allow disabling http_only

    ccntrq committed Jan 20, 2018
Commits on Jan 15, 2018
  1. reflect changes

    cromedome committed Jan 15, 2018
  2. Move section on modules for extra speed to Deployment

    Pedro Melo authored and cromedome committed Dec 31, 2017
    This section is important to both old Dancer1 users but also to new
    Dancer2 users and the later group would probably not read the
    Migration page.
    
    Moved the section from Migration to Deployment, and left a link
    pointing to the new placement.
  3. Merge branch 'docs/serializer'

    cromedome committed Jan 15, 2018
  4. reflect changes

    cromedome committed Jan 15, 2018
  5. Merge branch 'guest20-patch-1'

    veryrusty committed Jan 15, 2018
Commits on Nov 21, 2017
  1. Merge branch 'fix/circular-ref-in-error'

    xsawyerx committed Nov 21, 2017
  2. Reflect changes

    xsawyerx committed Nov 21, 2017
  3. Fix infinite recursion with circular refs

    andrewalker authored and xsawyerx committed Nov 19, 2017
    The previous commit added a test case for this issue. This commit uses a
    `$visited` hashref to the _censor subroutine, so that it keeps track of
    the data structures it visited.
    
    Whenever _censor would recurse, it used to copy the data structure like
    this:
    
        $hash->{$key} = { %{ $hash->{$key} } };
    
    That would change the address of the data, and make it harder for us to
    keep track of visited structures. So instead, I used Clone to make a
    deep copy of the entire structure on one go, and then I'm free to remove
    the sensitive data as I please, with no fear of interfering with the
    original.
  4. Add error case for infinite recursion with circular refs

    andrewalker authored and xsawyerx committed Nov 19, 2017
    I hit a particular edge case when working on PearlBee (a Dancer2 blog
    engine). I added a component which used a circular reference (it used
    the application config, and then it went to the config itself). While
    maybe it's not a great idea to use circular references anyway, it made
    Dancer2 go into infinite recursion whenever an exception happened inside
    Dancer2.
    
    To trigger the issue, the following has to happen:
    
    - have a circular reference on the config or session;
    - have show_errors enabled;
    - have an exception somewhere in the stack;
    
    The last item is a bit weird, because a simple `die` or throwing
    Dancer2::Core::Error don't cause it. But, for example, if the template
    engine dies, or if DBIx::Class dies, then the problem appears. It might
    be related to the exception being blessed? I tried to find out why, but
    was unable to.
    
    So in my test, I just used a template not found.
    
    Show_errors will make Dancer2::Core::Error dump the stack trace, the
    settings of the app, the session, and the request environment. And
    before dumping, it will traverse the data and try to sensor things that
    look sensitive. When there are circular refs, it will traverse forever.
Commits on Oct 17, 2017
  1. v0.205002

    cromedome committed Oct 17, 2017
        [ BUG FIXES ]
        * GH #1362: Make cookies http_only by default (David Precious)
        * GH #1366: Use proper shebang on dancer script and make EU::MM do the job
        * GH #1373: Unset Dancer environment vars before testing (Alberto Simões)
        * GH #1380: Consider class of error displayed when using show_errors
          (Nick Tonkin).
        * GH #1383: Remove Deflater from default app skeleton (Pierre Vigier)
        * GH #1385: Fix links inside the documentation (Alberto Simões)
        * GH #1390: Honour no_server_tokens config in error responses (Russell
          @veryrusty Jenkins)
    
        [ DOCUMENTATION ]
        * GH #1285: Add "Default Template Variables" section to manual (simbabque)
        * GH #1312: Fix docs for Dancer2::Core::Route->match, which takes a request
          object (simbabque).
        * GH #1368: Don't allow XSS in tutorial (simbabque)
        * GH #1383: Remove full URL on links to third party modules (Alberto Simoes)
        * GH #1395: Customize TT behavior via subclassing (simbabque).
  2. Merge branch 'PR/1385'

    cromedome committed Oct 17, 2017
  3. Fix some links in the Manual pod

    ambs authored and cromedome committed Oct 12, 2017
  4. Merge branch 'bugfix/custom-error-pages'

    cromedome committed Oct 17, 2017
  5. reflect changes

    cromedome committed Oct 17, 2017
  6. String check

    1nickt authored and cromedome committed Oct 12, 2017
  7. Update doc.

    1nickt authored and cromedome committed Oct 10, 2017
  8. When show_errors is on, only skip showing the static error page in th…

    1nickt authored and cromedome committed Oct 10, 2017
    …e case of a 500.
  9. reflect changes

    cromedome committed Oct 17, 2017
  10. add a chapter about advanced customization of TT via subclass of D2::…

    simbabque authored and cromedome committed Oct 12, 2017
    …T::TT
    
    This content is based on my Stack Overflow answer https://stackoverflow.com/a/46645835/1331451.
  11. reflect changes

    cromedome committed Oct 17, 2017
  12. Merge branch 'bugfix_error_no_server_tokens_1390'

    cromedome committed Oct 17, 2017
  13. reflect changes

    cromedome committed Oct 17, 2017
Commits on Oct 15, 2017
  1. Honour no_server_tokens config in error responses

    veryrusty committed Oct 15, 2017
    For apps configured to NOT include server tokens in responses,
    responses on error should do the same thing too. So ..
    
    When the Error object has an app, use its no_server_tokens config setting,
    or fall back to $ENV{DANCER_NO_SERVER_TOKENS} (as the Runner does) if
    no app is present.
    
    Resolves 1390.
Commits on Oct 12, 2017
  1. Update changes

    ambs committed Oct 12, 2017
Commits on Oct 11, 2017
  1. Merge branch 'docs/no-xss-in-tutorial'

    cromedome committed Oct 11, 2017