/ 
Mojolicious-3.39
⭐ Starred 2674
/ Mojolicious
Security Advisories (10)
CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojolicious - Real-time web framework

SYNOPSIS

# Application
package MyApp;
use Mojo::Base 'Mojolicious';

# Route
sub startup {
  my $self = shift;
  $self->routes->get('/hello')->to('foo#hello');
}

# Controller
package MyApp::Foo;
use Mojo::Base 'Mojolicious::Controller';

# Action
sub hello {
  my $self = shift;
  $self->render(text => 'Hello World!');
}

DESCRIPTION

Take a look at our excellent documentation in Mojolicious::Guides!

ATTRIBUTES

Mojolicious inherits all attributes from Mojo and implements the following new ones.

commands

my $commands = $app->commands;
$app         = $app->commands(Mojolicious::Commands->new);

Command line interface for your application, defaults to a Mojolicious::Commands object.

# Add another namespace to load commands from
push @{$app->commands->namespaces}, 'MyApp::Command';

controller_class

my $class = $app->controller_class;
$app      = $app->controller_class('Mojolicious::Controller');

Class to be used for the default controller, defaults to Mojolicious::Controller.

mode

my $mode = $app->mode;
$app     = $app->mode('production');

The operating mode for your application, defaults to the value of the MOJO_MODE environment variable or development. You can also add per mode logic to your application by defining methods named ${mode}_mode in the application class, which will be called right before startup.

sub development_mode {
  my $self = shift;
  ...
}

sub production_mode {
  my $self = shift;
  ...
}

Right before calling startup and mode specific methods, Mojolicious will pick up the current mode, name the log file after it and raise the log level from debug to info if it has a value other than development.

plugins

my $plugins = $app->plugins;
$app        = $app->plugins(Mojolicious::Plugins->new);

The plugin manager, defaults to a Mojolicious::Plugins object. See the plugin method below if you want to load a plugin.

# Add another namespace to load plugins from
push @{$app->plugins->namespaces}, 'MyApp::Plugin';

renderer

my $renderer = $app->renderer;
$app         = $app->renderer(Mojolicious::Renderer->new);

Used in your application to render content, defaults to a Mojolicious::Renderer object. The two main renderer plugins Mojolicious::Plugin::EPRenderer and Mojolicious::Plugin::EPLRenderer contain more information.

# Add another "templates" directory
push @{$app->renderer->paths}, '/home/sri/templates';

# Add another class with templates in DATA section
push @{$app->renderer->classes}, 'Mojolicious::Plugin::Fun';

routes

my $routes = $app->routes;
$app       = $app->routes(Mojolicious::Routes->new);

The router, defaults to a Mojolicious::Routes object. You use this in your startup method to define the url endpoints for your application.

sub startup {
  my $self = shift;

  my $r = $self->routes;
  $r->get('/:controller/:action')->to('test#welcome');
}

secret

my $secret = $app->secret;
$app       = $app->secret('passw0rd');

A secret passphrase used for signed cookies and the like, defaults to the application name which is not very secure, so you should change it!!! As long as you are using the insecure default there will be debug messages in the log file reminding you to change your passphrase.

sessions

my $sessions = $app->sessions;
$app         = $app->sessions(Mojolicious::Sessions->new);

Signed cookie based session manager, defaults to a Mojolicious::Sessions object. You can usually leave this alone, see "session" in Mojolicious::Controller for more information about working with session data.

static

my $static = $app->static;
$app       = $app->static(Mojolicious::Static->new);

For serving static files from your public directories, defaults to a Mojolicious::Static object.

# Add another "public" directory
push @{$app->static->paths}, '/home/sri/public';

# Add another class with static files in DATA section
push @{$app->static->classes}, 'Mojolicious::Plugin::Fun';

types

my $types = $app->types;
$app      = $app->types(Mojolicious::Types->new);

Responsible for connecting file extensions with MIME types, defaults to a Mojolicious::Types object.

$app->types->type(twt => 'text/tweet');

METHODS

Mojolicious inherits all methods from Mojo and implements the following new ones.

new

my $app = Mojolicious->new;

Construct a new Mojolicious application, calling ${mode}_mode and startup in the process. Will automatically detect your home directory and set up logging based on your current operating mode. Also sets up the renderer, static dispatcher and a default set of plugins.

build_tx

my $tx = $app->build_tx;

Transaction builder, defaults to building a Mojo::Transaction::HTTP object.

defaults

my $defaults = $app->defaults;
my $foo      = $app->defaults('foo');
$app         = $app->defaults({foo => 'bar'});
$app         = $app->defaults(foo => 'bar');

Default values for "stash" in Mojolicious::Controller, assigned for every new request.

# Manipulate defaults
$app->defaults->{foo} = 'bar';
my $foo = $app->defaults->{foo};
delete $app->defaults->{foo};

dispatch

$app->dispatch(Mojolicious::Controller->new);

The heart of every Mojolicious application, calls the static and routes dispatchers for every request and passes them a Mojolicious::Controller object.

handler

$app->handler(Mojo::Transaction::HTTP->new);
$app->handler(Mojolicious::Controller->new);

Sets up the default controller and calls process for every request.

helper

$app->helper(foo => sub {...});

Add a new helper that will be available as a method of the controller object and the application object, as well as a function in ep templates.

# Helper
$app->helper(add => sub { $_[1] + $_[2] });

# Controller/Application
my $result = $self->add(2, 3);

# Template
%= add 2, 3

hook

$app->hook(after_dispatch => sub {...});

Extend Mojolicious with hooks, which allow code to be shared with all requests indiscriminately.

# Dispatchers will not run if there's already a response code defined
$app->hook(before_dispatch => sub {
  my $c = shift;
  $c->render(text => 'Skipped dispatchers!')
    if $c->req->url->path->contains('/do_not_dispatch');
});

These hooks are currently available and are emitted in the listed order:

after_build_tx

Emitted right after the transaction is built and before the HTTP request gets parsed.

$app->hook(after_build_tx => sub {
  my ($tx, $app) = @_;
  ...
});

This is a very powerful hook and should not be used lightly, it makes some rather advanced features such as upload progress bars possible, just note that it will not work for embedded applications. (Passed the transaction and application object)

before_dispatch

Emitted right before the static dispatcher and router start their work.

$app->hook(before_dispatch => sub {
  my $c = shift;
  ...
});

Very useful for rewriting incoming requests and other preprocessing tasks. (Passed the default controller object)

after_static_dispatch

Emitted in reverse order after the static dispatcher determined if a static file should be served and before the router starts its work.

$app->hook(after_static_dispatch => sub {
  my $c = shift;
  ...
});

Mostly used for custom dispatchers and post-processing static file responses. (Passed the default controller object)

after_dispatch

Emitted in reverse order after a response has been rendered. Note that this hook can trigger before after_static_dispatch due to its dynamic nature.

$app->hook(after_dispatch => sub {
  my $c = shift;
  ...
});

Useful for rewriting outgoing responses and other post-processing tasks. (Passed the current controller object)

around_dispatch

Emitted right before the before_dispatch hook and wraps around the whole dispatch process, so you have to manually forward to the next hook if you want to continue the chain. Default exception handling with "render_exception" in Mojolicious::Controller is the first hook in the chain and a call to dispatch the last, yours will be in between.

$app->hook(around_dispatch => sub {
  my ($next, $c) = @_;
  ...
  $next->();
  ...
});

This is a very powerful hook and should not be used lightly, it allows you to customize application wide exception handling for example, consider it the sledgehammer in your toolbox. (Passed a callback leading to the next hook and the default controller object)

plugin

$app->plugin('some_thing');
$app->plugin('some_thing', foo => 23);
$app->plugin('some_thing', {foo => 23});
$app->plugin('SomeThing');
$app->plugin('SomeThing', foo => 23);
$app->plugin('SomeThing', {foo => 23});
$app->plugin('MyApp::Plugin::SomeThing');
$app->plugin('MyApp::Plugin::SomeThing', foo => 23);
$app->plugin('MyApp::Plugin::SomeThing', {foo => 23});

Load a plugin with "register_plugin" in Mojolicious::Plugins.

These plugins are included in the Mojolicious distribution as examples:

Mojolicious::Plugin::Charset

Change the application charset.

Mojolicious::Plugin::Config

Perl-ish configuration files.

Mojolicious::Plugin::DefaultHelpers

General purpose helper collection, loaded automatically.

Mojolicious::Plugin::EPLRenderer

Renderer for plain embedded Perl templates, loaded automatically.

Mojolicious::Plugin::EPRenderer

Renderer for more sophisiticated embedded Perl templates, loaded automatically.

Mojolicious::Plugin::HeaderCondition

Route condition for all kinds of headers, loaded automatically.

Mojolicious::Plugin::JSONConfig

JSON configuration files.

Mojolicious::Plugin::Mount

Mount whole Mojolicious applications.

Mojolicious::Plugin::PODRenderer

Renderer for turning POD into HTML and documentation browser for Mojolicious::Guides.

Mojolicious::Plugin::PoweredBy

Add an X-Powered-By header to outgoing responses, loaded automatically.

Mojolicious::Plugin::RequestTimer

Log timing information, loaded automatically.

Mojolicious::Plugin::TagHelpers

Template specific helper collection, loaded automatically.

start

$app->start;
$app->start(@ARGV);

Start the command line interface for your application with "start" in Mojolicious::Commands.

# Always start daemon and ignore @ARGV
$app->start('daemon', '-l', 'http://*:8080');

startup

$app->startup;

This is your main hook into the application, it will be called at application startup. Meant to be overloaded in a subclass.

sub startup {
  my $self = shift;
  ...
}

HELPERS

In addition to the attributes and methods above you can also call helpers on Mojolicious objects. This includes all helpers from Mojolicious::Plugin::DefaultHelpers and Mojolicious::Plugin::TagHelpers. Note that application helpers are always called with a new default controller object, so they can't depend on or change controller state, which includes request, response and stash.

$app->log->debug($app->dumper({foo => 'bar'}));

SUPPORT

Web

http://mojolicio.us

IRC

#mojo on irc.perl.org

Mailing-List

http://groups.google.com/group/mojolicious

DEVELOPMENT

Repository

http://github.com/kraih/mojo

BUNDLED FILES

The Mojolicious distribution includes a few files with different licenses that have been bundled for internal use.

Mojolicious Artwork

Copyright (C) 2010-2012, Sebastian Riedel.

Licensed under the CC-SA License, Version 3.0 http://creativecommons.org/licenses/by-sa/3.0.

jQuery

Copyright (C) 2011, John Resig.

Licensed under the MIT License, http://creativecommons.org/licenses/MIT.

prettify.js

Copyright (C) 2006, Google Inc.

Licensed under the Apache License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.

CODE NAMES

Every major release of Mojolicious has a code name, these are the ones that have been used in the past.

3.0, Rainbow (u1F308)

2.0, Leaf Fluttering In Wind (u1F343)

1.4, Smiling Face With Sunglasses (u1F60E)

1.3, Tropical Drink (u1F379)

1.1, Smiling Cat Face With Heart-Shaped Eyes (u1F63B)

1.0, Snowflake (u2744)

0.999930, Hot Beverage (u2615)

0.999927, Comet (u2604)

0.999920, Snowman (u2603)

PROJECT FOUNDER

Sebastian Riedel, sri@cpan.org

CORE DEVELOPERS

Current members of the core team in alphabetical order:

Abhijit Menon-Sen, ams@cpan.org

Glen Hinkle, tempire@cpan.org

Marcus Ramberg, mramberg@cpan.org

CREDITS

In alphabetical order:

Adam Kennedy

Adriano Ferreira

Al Newkirk

Alex Salimon

Alexey Likhatskiy

Anatoly Sharifulin

Andre Vieth

Andreas Jaekel

Andreas Koenig

Andrew Fresh

Andrey Khozov

Andy Grundman

Aristotle Pagaltzis

Ashley Dev

Ask Bjoern Hansen

Audrey Tang

Ben van Staveren

Benjamin Erhart

Bernhard Graf

Breno G. de Oliveira

Brian Duggan

Burak Gursoy

Ch Lamprecht

Charlie Brady

Chas. J. Owens IV

Christian Hansen

chromatic

Curt Tilmes

Daniel Kimsey

Danijel Tasov

Danny Thomas

David Davis

Diego Kuperman

Dmitriy Shalashov

Dmitry Konstantinov

Dominique Dumont

Douglas Christopher Wilson

Eugene Toropov

Gisle Aas

Graham Barr

Henry Tang

Hideki Yamamura

Ilya Chesnokov

James Duncan

Jan Jona Javorsek

Jaroslav Muhin

Jesse Vincent

Joel Berger

Johannes Plunien

John Kingsley

Jonathan Yu

Kazuhiro Shibuya

Kevin Old

Kitamura Akatsuki

Lars Balker Rasmussen

Leon Brocard

Magnus Holm

Maik Fischer

Mark Stosberg

Marty Tennison

Matthew Lineen

Maksym Komar

Maxim Vuets

Michael Harris

Mike Magowan

Mirko Westermeier

Mons Anderson

Moritz Lenz

Neil Watkiss

Nic Sandfield

Nils Diewald

Oleg Zhelo

Pascal Gaudette

Paul Evans

Paul Tomlin

Pedro Melo

Peter Edwards

Pierre-Yves Ritschard

Quentin Carbonneaux

Rafal Pocztarski

Randal Schwartz

Robert Hicks

Robin Lee

Roland Lammel

Ryan Jendoubi

Sascha Kiefer

Scott Wiersdorf

Sergey Zasenko

Simon Bertrang

Simone Tampieri

Shu Cho

Skye Shaw

Stanis Trendelenburg

Stephane Este-Gracias

Tatsuhiko Miyagawa

Terrence Brannon

The Perl Foundation

Tomas Znamenacek

Ulrich Habel

Ulrich Kautz

Uwe Voelker

Viacheslav Tykhanovskyi

Victor Engmark

Viliam Pucik

Wes Cravens

Yaroslav Korshak

Yuki Kimoto

Zak B. Elep

COPYRIGHT AND LICENSE

Copyright (C) 2008-2012, Sebastian Riedel.

This program is free software, you can redistribute it and/or modify it under the terms of the Artistic License version 2.0.