/ 
Mojolicious-0.999922
⭐ Starred 2674
/ Mojo::Client
Security Advisories (14)
CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CVE-2010-4802 (2011-05-03)

Commands.pm in Mojolicious before 0.999928 does not properly perform CGI environment detection, which has unspecified impact and remote attack vectors.

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2011-1841 (2011-03-10)

Mojolicious is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by link_to helper. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2010-4803 (2011-05-03)

Mojolicious before 0.999927 does not properly implement HMAC-MD5 checksums, which has unspecified impact and remote attack vectors.

CVE-2011-1841 (2011-05-03)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

NAME

Mojo::Client - Async IO HTTP 1.1 And WebSocket Client

SYNOPSIS

use Mojo::Client;

my $client = Mojo::Client->new;
$client->get(
    'http://kraih.com' => sub {
        my $self = shift;
        print $self->res->code;
    }
)->process;

DESCRIPTION

Mojo::Client is a full featured async io HTTP 1.1 and WebSocket client with IPv6, TLS, epoll and kqueue support.

It implements the most common HTTP verbs. If you need something more custom you can create your own Mojo::Transaction::HTTP objects and queue them. All of the verbs take an optional set of headers as a hash or hash reference, as well as an optional callback sub reference.

Optional modules IO::KQueue, IO::Epoll, IO::Socket::INET6 and IO::Socket::SSL are supported transparently and used if installed.

ATTRIBUTES

Mojo::Client implements the following attributes.

my $cookie_jar = $client->cookie_jar;
$client        = $client->cookie_jar(Mojo::CookieJar->new);

Cookie jar to use for this clients requests, by default a Mojo::CookieJar object.

default_cb

my $cb  = $client->default_cb;
$client = $client->default_cb(sub {...});

A default callback to use if your request does not specify a callback.

$client->default_cb(sub {
    my ($self, $tx) = @_;
});

ioloop

my $loop = $client->ioloop;
$client  = $client->ioloop(Mojo::IOLoop->new);

Loop object to use for io operations, by default it will use the global Mojo::IOLoop singleton. You can force the client to block on process by creating a new loop object.

keep_alive_timeout

my $keep_alive_timeout = $client->keep_alive_timeout;
$client                = $client->keep_alive_timeout(15);

Timeout in seconds for keep alive between requests, defaults to 15.

max_keep_alive_connections

my $max_keep_alive_connections = $client->max_keep_alive_connections;
$client                        = $client->max_keep_alive_connections(5);

Maximum number of keep alive connections that the client will retain before it starts closing the oldest cached ones, defaults to 5.

max_redirects

my $max_redirects = $client->max_redirects;
$client           = $client->max_redirects(3);

Maximum number of redirects the client will follow before it fails, defaults to 3.

tls_ca_file

my $tls_ca_file = $client->tls_ca_file;
$client         = $client->tls_ca_file('/etc/tls/cacerts.pem');

TLS certificate authority file to use, defaults to the MOJO_CA_FILE environment variable. Note that IO::Socket::SSL must be installed for HTTPS support.

tls_verify_cb

my $tls_verify_cb = $client->tls_verify_cb;
$client           = $client->tls_verify_cb(sub {...});

Callback to verify your TLS connection, by default the client will accept most certificates. Note that IO::Socket::SSL must be installed for HTTPS support.

tx

$client->tx;

The last finished transaction, only available from callbacks.

websocket_timeout

my $websocket_timeout = $client->websocket_timeout;
$client               = $client->websocket_timeout(300);

Timeout in seconds for WebSockets to be idle, defaults to 300.

METHODS

Mojo::Client inherits all methods from Mojo::Base and implements the following new ones.

new

my $client = Mojo::Client->new;

Construct a new Mojo::Client object. Use singleton if you want to share keep alive connections and cookies with other clients

app

my $app = $client->app;
$client = $client->app(MyApp->new);

A Mojo application to associate this client with. If set, local requests will be processed in this application.

delete

$client = $client->delete('http://kraih.com' => sub {...});
$client = $client->delete(
    'http://kraih.com' => (Connection => 'close') => sub {...}
);

Send a HTTP DELETE request.

finish

$client->finish;

Finish the WebSocket connection, only available from callbacks.

get

$client = $client->get('http://kraih.com' => sub {...});
$client = $client->get(
    'http://kraih.com' => (Connection => 'close') => sub {...}
);

Send a HTTP GET request.

$client = $client->head('http://kraih.com' => sub {...});
$client = $client->head(
    'http://kraih.com' => (Connection => 'close') => sub {...}
);

Send a HTTP HEAD request.

log

my $log = $client->log;
$client = $client->log(Mojo::Log->new);

A Mojo::Log object used for logging, by default the application log will be used.

post

$client = $client->post('http://kraih.com' => sub {...});
$client = $client->post(
    'http://kraih.com' => (Connection => 'close') => sub {...}
);
$client = $client->post(
    'http://kraih.com',
    (Connection => 'close'),
    'message body',
    sub {...}
);
$client = $client->post(
    'http://kraih.com' => (Connection => 'close') => 'Hi!' => sub {...}
);

Send a HTTP POST request.

post_form

$client = $client->post_form('/foo' => {test => 123}, sub {...});
$client = $client->post_form(
    '/foo',
    'UTF-8',
    {test => 123},
    sub {...}
);
$client = $client->post_form(
    '/foo',
    {test => 123},
    {Expect => '100-continue'},
    sub {...}
);
$client = $client->post_form(
    '/foo',
    'UTF-8',
    {test => 123},
    {Expect => '100-continue'},
    sub {...}
);

Send a HTTP POST request with form data.

process

$client = $client->process;
$client = $client->process(@transactions);
$client = $client->process(@transactions => sub {...});

Process all queued transactions. Will be blocking unless you have a global shared ioloop.

put

$client = $client->put('http://kraih.com' => sub {...});
$client = $client->put(
    'http://kraih.com' => (Connection => 'close') => sub {...}
);
$client = $client->put(
    'http://kraih.com' => (Connection => 'close') => 'Hi!' => sub {...}
);

Send a HTTP PUT request.

queue

$client = $client->queue(@transactions);
$client = $client->queue(@transactions => sub {...});

Queue a list of transactions for processing. HTTP 1.1 transactions can also be pipelined by wrapping them in an arrayref. Note that following redirects and WebSocket upgrades don't work for pipelined transactions.

$client->queue([$tx, $tx2] => sub {
    my ($self, $p) = @_;
});

receive_message

$client->receive_message(sub {...});

Receive messages via WebSocket, only available from callbacks.

$client->receive_message(sub {
    my ($self, $message) = @_;
});

req

my $req = $client->req;

The request object of the last finished transaction, only available from callbacks.

res

my $res = $client->res;

The response object of the last finished transaction, only available from callbacks.

singleton

my $client = Mojo::Client->singleton;

The global client object, used to access a single shared client instance from everywhere inside the process.

send_message

$client->send_message('Hi there!');

Send a message via WebSocket, only available from callbacks.

websocket

$client = $client->websocket('ws://localhost:3000' => sub {...});
$client = $client->websocket(
    'ws://localhost:3000' => ('User-Agent' => 'Agent 1.0') => sub {...}
);

Open a WebSocket connection with transparent handshake.

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicious.org.