Commands.pm in Mojolicious before 0.999928 does not properly perform CGI environment detection, which has unspecified impact and remote attack vectors.
Mojolicious is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by link_to helper. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.
Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Code name "Snowman", this is a major release, which means deprecation policies apply. (See also "perldoc Mojolicious::Book::CodingGuidelines")
Renamed distribution from Mojo to Mojolicious.
Deprecated $VERSION in Mojo, new $VERSION lives in Mojolicious. Make sure to update your modules depending on Mojo to depend on Mojolicious in the future.
Deprecated Mojo::Transaction::Single, make sure to update all old code to use Mojo::Transaction::HTTP instead.
MOJO_RELOAD=1 now works with Mojolicious::Lite, have fun!
Allow reloading to be triggered once by a USR1 or WINCH (win32) signal.
Added --reload flag to all server bindings as an alternative to MOJO_RELOAD=1.
Added WebSocket support.
Added IPv6 support.
Added SSL/TLS support.
Added IDNA support.
Added UNIX domain socket support to daemons.
Added transparent kqueue and epoll support to daemons and client.
Added support for listening to multiple locations to the daemons. mojo daemon --listen http://127.0.0.1:3000 mojo daemon --listen http://127.0.0.1:3000,file:///tmp/my.sock mojo daemon --listen http://*:3000,http://*:3001,http://*:3002 mojo daemon --listen http://[::1]:3000 mojo daemon --listen https://*:443:/x/server.crt:/x/server.key
Added routes captures to params in Mojolicious.
Added native PSGI support.
Added the ability to have multiple Mojolicious::Lite apps at once. (Mojolicious::Lite is not a singleton anymore!)
Added charset plugin to Mojolicious. (charsbar)
Added simple reverse proxy support with tests.
Added simpler way to define default controller and action for a route. $r->route('/foo')->to('mycontroller#myaction');
Added simple way to define default controller or action for a route. (mvuets) $r->route('/foo/:controller')->to('#myaction'); $r->route('/foo/:action')->to('mycontroller#');
Added multipart post support to Test::Mojo. (yuki-kimoto)
Added env attribute to Mojo::Message::Request.
Added range support to MojoX::Dispatcher::Static. (xantus)
Added version command.
Added after_build_tx plugin hook.
Added timer support to Mojo::IOLoop.
Added the ability to run multiple parallel ioloops that block each other.
Added default_template_class attribute to MojoX::Renderer.
Added render_static method to Mojolicious::Controller.
Added support for embedded Mojolicious applications.
Added json_config plugin to Mojolicious. (vti)
Added the ability to reload the application and (graceful) restart all children to the prefork daemon.
Added to_hash and from_hash methods to Mojo::Headers. (vti)
Added post_form method to Mojo::Client.
Added find_route method to MojoX::Routes.
Added buffer size limits to the message parser.
Added child_status method to Mojo::Server::Daemon::Prefork. (und3f)
Added header_condition plugin to Mojolicious. (xantus)
Added finish method to Mojolicious::Controller.
Added WebSocket support to Mojolicious and Mojolicious::Lite.
Added message body support to Mojo::Client api. (tempire)
Added stash helper.
Added POD renderer plugin to Mojolicious. (vti)
Added inflate command to Mojolicious. (vti, korshak)
Added singleton support to Mojo::Client.
Started working on the Mojolicious book.
Started adding reference documentation. (marcus)
Improved HTTP 1.1 state machine.
Improved exception handling in Mojo::Client, Mojo::Server::Daemon and Mojo::IOLoop.
Disabled Nagle's algorithm in Mojo::IOLoop.
Changed the testing framework to always run real world tests with daemon and TCP connections.
Changed exceptions to stay out of your way as much as possible.
Made all Mojolicious after_* plugin hooks run in reverse order.
Made param decoding more defensive and allow malformed data to pass through for debugging.
Made Mojo::IOLoop very hard to kill.
Reduced Mojolicious log output outside of development mode.
Polished Mojo::Client api.
Fixed connect error handling in Mojo::Client.
Fixed double encoding of JSON data with charset plugin. (yuki-kimoto)
Fixed prefork daemon signal handling.
Fixed backslash encoding bug in Mojo::JSON.
Fixed memory leaks in Mojolicious plugins. (sharifulin)
Fixed memory leaks in .ep templates. (vti)
Fixed makefile and app generators.
Fixed a case where an ending tag would be interpreted as a line start in Mojo::Template.
Fixed multipart charset handling and added the ability to disable param decoding.
Fixed format detection bug. (marcus)
Fixed named url_for and added tests. (marcus)
Fixed decamelize of multiple uppercase characters.
Fixed plugins and commands to work with multiple namespaces and reloading.
Fixed multiple process calls in Mojo::Client.
Fixed a routes parser bug.
Fixed a bug that caused waypoint actions to run twice.
Fixed a bug where to_abs and to_rel could not be called multiple times on a Mojo::URL object. (vti)
Fixed development mode log level. (ka2u)
Fixed query string support in Mojo::URL. (vti)
Fixed rendering without template name.
Fixed large file upload bug. (vti, sharifulin)
Fixed a small inconsistency between relaxed and wildcared plaeholders.