Security Advisories (8)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

https://github.com/mojolicious/mojo/pull/1601

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

NAME

Mojo::Headers - HTTP headers

SYNOPSIS

use Mojo::Headers;

# Parse
my $headers = Mojo::Headers->new;
$headers->parse("Content-Length: 42\x0d\x0a");
$headers->parse("Content-Type: text/html\x0d\x0a\x0d\x0a");
say $headers->content_length;
say $headers->content_type;

# Build
my $headers = Mojo::Headers->new;
$headers->content_length(42);
$headers->content_type('text/plain');
say $headers->to_string;

DESCRIPTION

Mojo::Headers is a container for HTTP headers, based on RFC 7230 and RFC 7231.

ATTRIBUTES

Mojo::Headers implements the following attributes.

max_line_size

my $size = $headers->max_line_size;
$headers = $headers->max_line_size(1024);

Maximum header line size in bytes, defaults to the value of the MOJO_MAX_LINE_SIZE environment variable or 8192 (8KB).

max_lines

my $num  = $headers->max_lines;
$headers = $headers->max_lines(200);

Maximum number of header lines, defaults to the value of the MOJO_MAX_LINES environment variable or 100.

METHODS

Mojo::Headers inherits all methods from Mojo::Base and implements the following new ones.

accept

my $accept = $headers->accept;
$headers   = $headers->accept('application/json');

Get or replace current header value, shortcut for the Accept header.

accept_charset

my $charset = $headers->accept_charset;
$headers    = $headers->accept_charset('UTF-8');

Get or replace current header value, shortcut for the Accept-Charset header.

accept_encoding

my $encoding = $headers->accept_encoding;
$headers     = $headers->accept_encoding('gzip');

Get or replace current header value, shortcut for the Accept-Encoding header.

accept_language

my $language = $headers->accept_language;
$headers     = $headers->accept_language('de, en');

Get or replace current header value, shortcut for the Accept-Language header.

accept_ranges

my $ranges = $headers->accept_ranges;
$headers   = $headers->accept_ranges('bytes');

Get or replace current header value, shortcut for the Accept-Ranges header.

access_control_allow_origin

my $origin = $headers->access_control_allow_origin;
$headers   = $headers->access_control_allow_origin('*');

Get or replace current header value, shortcut for the Access-Control-Allow-Origin header from Cross-Origin Resource Sharing.

add

$headers = $headers->add(Foo => 'one value');
$headers = $headers->add(Foo => 'first value', 'second value');

Add header with one or more lines.

# "Vary: Accept
#  Vary: Accept-Encoding"
$headers->add(Vary => 'Accept')->add(Vary => 'Accept-Encoding')->to_string;

allow

my $allow = $headers->allow;
$headers  = $headers->allow('GET, POST');

Get or replace current header value, shortcut for the Allow header.

append

$headers = $headers->append(Vary => 'Accept-Encoding');

Append value to header and flatten it if necessary.

# "Vary: Accept"
$headers->append(Vary => 'Accept')->to_string;

# "Vary: Accept, Accept-Encoding"
$headers->vary('Accept')->append(Vary => 'Accept-Encoding')->to_string;

authorization

my $authorization = $headers->authorization;
$headers          = $headers->authorization('Basic Zm9vOmJhcg==');

Get or replace current header value, shortcut for the Authorization header.

cache_control

my $cache_control = $headers->cache_control;
$headers          = $headers->cache_control('max-age=1, no-cache');

Get or replace current header value, shortcut for the Cache-Control header.

clone

my $clone = $headers->clone;

Clone headers.

connection

my $connection = $headers->connection;
$headers       = $headers->connection('close');

Get or replace current header value, shortcut for the Connection header.

content_disposition

my $disposition = $headers->content_disposition;
$headers        = $headers->content_disposition('foo');

Get or replace current header value, shortcut for the Content-Disposition header.

content_encoding

my $encoding = $headers->content_encoding;
$headers     = $headers->content_encoding('gzip');

Get or replace current header value, shortcut for the Content-Encoding header.

content_language

my $language = $headers->content_language;
$headers     = $headers->content_language('en');

Get or replace current header value, shortcut for the Content-Language header.

content_length

my $len  = $headers->content_length;
$headers = $headers->content_length(4000);

Get or replace current header value, shortcut for the Content-Length header.

content_location

my $location = $headers->content_location;
$headers     = $headers->content_location('http://127.0.0.1/foo');

Get or replace current header value, shortcut for the Content-Location header.

content_range

my $range = $headers->content_range;
$headers  = $headers->content_range('bytes 2-8/100');

Get or replace current header value, shortcut for the Content-Range header.

content_security_policy

my $policy = $headers->content_security_policy;
$headers   = $headers->content_security_policy('default-src https:');

Get or replace current header value, shortcut for the Content-Security-Policy header from Content Security Policy 1.0.

content_type

my $type = $headers->content_type;
$headers = $headers->content_type('text/plain');

Get or replace current header value, shortcut for the Content-Type header.

my $cookie = $headers->cookie;
$headers   = $headers->cookie('f=b');

Get or replace current header value, shortcut for the Cookie header from RFC 6265.

date

my $date = $headers->date;
$headers = $headers->date('Sun, 17 Aug 2008 16:27:35 GMT');

Get or replace current header value, shortcut for the Date header.

dnt

my $dnt  = $headers->dnt;
$headers = $headers->dnt(1);

Get or replace current header value, shortcut for the DNT (Do Not Track) header, which has no specification yet, but is very commonly used.

etag

my $etag = $headers->etag;
$headers = $headers->etag('"abc321"');

Get or replace current header value, shortcut for the ETag header.

every_header

my $all = $headers->every_header('Location');

Similar to "header", but returns all headers sharing the same name as an array reference.

# Get first header value
say $headers->every_header('Location')->[0];

expect

my $expect = $headers->expect;
$headers   = $headers->expect('100-continue');

Get or replace current header value, shortcut for the Expect header.

expires

my $expires = $headers->expires;
$headers    = $headers->expires('Thu, 01 Dec 1994 16:00:00 GMT');

Get or replace current header value, shortcut for the Expires header.

from_hash

$headers = $headers->from_hash({'Cookie' => 'a=b'});
$headers = $headers->from_hash({'Cookie' => ['a=b', 'c=d']});
$headers = $headers->from_hash({});

Parse headers from a hash reference, an empty hash removes all headers.

my $value = $headers->header('Foo');
$headers  = $headers->header(Foo => 'one value');
$headers  = $headers->header(Foo => 'first value', 'second value');

Get or replace the current header values.

host

my $host = $headers->host;
$headers = $headers->host('127.0.0.1');

Get or replace current header value, shortcut for the Host header.

if_modified_since

my $date = $headers->if_modified_since;
$headers = $headers->if_modified_since('Sun, 17 Aug 2008 16:27:35 GMT');

Get or replace current header value, shortcut for the If-Modified-Since header.

if_none_match

my $etag = $headers->if_none_match;
$headers = $headers->if_none_match('"abc321"');

Get or replace current header value, shortcut for the If-None-Match header.

is_finished

my $bool = $headers->is_finished;

Check if header parser is finished.

is_limit_exceeded

my $bool = $headers->is_limit_exceeded;

Check if headers have exceeded "max_line_size" or "max_lines".

last_modified

my $date = $headers->last_modified;
$headers = $headers->last_modified('Sun, 17 Aug 2008 16:27:35 GMT');

Get or replace current header value, shortcut for the Last-Modified header.

leftovers

my $bytes = $headers->leftovers;

Get and remove leftover data from header parser.

link

my $link = $headers->link;
$headers = $headers->link('<http://127.0.0.1/foo/3>; rel="next"');

Get or replace current header value, shortcut for the Link header from RFC 5988.

location

my $location = $headers->location;
$headers     = $headers->location('http://127.0.0.1/foo');

Get or replace current header value, shortcut for the Location header.

names

my $names = $headers->names;

Return an array reference with all currently defined headers.

# Names of all headers
say for @{$headers->names};

origin

my $origin = $headers->origin;
$headers   = $headers->origin('http://example.com');

Get or replace current header value, shortcut for the Origin header from RFC 6454.

parse

$headers = $headers->parse("Content-Type: text/plain\x0d\x0a\x0d\x0a");

Parse formatted headers.

proxy_authenticate

my $authenticate = $headers->proxy_authenticate;
$headers         = $headers->proxy_authenticate('Basic "realm"');

Get or replace current header value, shortcut for the Proxy-Authenticate header.

proxy_authorization

my $authorization = $headers->proxy_authorization;
$headers          = $headers->proxy_authorization('Basic Zm9vOmJhcg==');

Get or replace current header value, shortcut for the Proxy-Authorization header.

range

my $range = $headers->range;
$headers  = $headers->range('bytes=2-8');

Get or replace current header value, shortcut for the Range header.

referrer

my $referrer = $headers->referrer;
$headers     = $headers->referrer('http://example.com');

Get or replace current header value, shortcut for the Referer header, there was a typo in RFC 2068 which resulted in Referer becoming an official header.

remove

$headers = $headers->remove('Foo');

Remove a header.

sec_websocket_accept

my $accept = $headers->sec_websocket_accept;
$headers   = $headers->sec_websocket_accept('s3pPLMBiTxaQ9kYGzzhZRbK+xOo=');

Get or replace current header value, shortcut for the Sec-WebSocket-Accept header from RFC 6455.

sec_websocket_extensions

my $extensions = $headers->sec_websocket_extensions;
$headers       = $headers->sec_websocket_extensions('foo');

Get or replace current header value, shortcut for the Sec-WebSocket-Extensions header from RFC 6455.

sec_websocket_key

my $key  = $headers->sec_websocket_key;
$headers = $headers->sec_websocket_key('dGhlIHNhbXBsZSBub25jZQ==');

Get or replace current header value, shortcut for the Sec-WebSocket-Key header from RFC 6455.

sec_websocket_protocol

my $proto = $headers->sec_websocket_protocol;
$headers  = $headers->sec_websocket_protocol('sample');

Get or replace current header value, shortcut for the Sec-WebSocket-Protocol header from RFC 6455.

sec_websocket_version

my $version = $headers->sec_websocket_version;
$headers    = $headers->sec_websocket_version(13);

Get or replace current header value, shortcut for the Sec-WebSocket-Version header from RFC 6455.

server

my $server = $headers->server;
$headers   = $headers->server('Mojo');

Get or replace current header value, shortcut for the Server header.

set_cookie

my $cookie = $headers->set_cookie;
$headers   = $headers->set_cookie('f=b; path=/');

Get or replace current header value, shortcut for the Set-Cookie header from RFC 6265.

status

my $status = $headers->status;
$headers   = $headers->status('200 OK');

Get or replace current header value, shortcut for the Status header from RFC 3875.

strict_transport_security

my $policy = $headers->strict_transport_security;
$headers   = $headers->strict_transport_security('max-age=31536000');

Get or replace current header value, shortcut for the Strict-Transport-Security header from RFC 6797.

te

my $te   = $headers->te;
$headers = $headers->te('chunked');

Get or replace current header value, shortcut for the TE header.

to_hash

my $single = $headers->to_hash;
my $multi  = $headers->to_hash(1);

Turn headers into hash reference, array references to represent multiple headers with the same name are disabled by default.

say $headers->to_hash->{DNT};

to_string

my $str = $headers->to_string;

Turn headers into a string, suitable for HTTP messages.

trailer

my $trailer = $headers->trailer;
$headers    = $headers->trailer('X-Foo');

Get or replace current header value, shortcut for the Trailer header.

transfer_encoding

my $encoding = $headers->transfer_encoding;
$headers     = $headers->transfer_encoding('chunked');

Get or replace current header value, shortcut for the Transfer-Encoding header.

upgrade

my $upgrade = $headers->upgrade;
$headers    = $headers->upgrade('websocket');

Get or replace current header value, shortcut for the Upgrade header.

user_agent

my $agent = $headers->user_agent;
$headers  = $headers->user_agent('Mojo/1.0');

Get or replace current header value, shortcut for the User-Agent header.

vary

my $vary = $headers->vary;
$headers = $headers->vary('*');

Get or replace current header value, shortcut for the Vary header.

www_authenticate

my $authenticate = $headers->www_authenticate;
$headers         = $headers->www_authenticate('Basic realm="realm"');

Get or replace current header value, shortcut for the WWW-Authenticate header.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)