Security Advisories (13)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CVE-2010-4802 (2011-05-03)

Commands.pm in Mojolicious before 0.999928 does not properly perform CGI environment detection, which has unspecified impact and remote attack vectors.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CVE-2011-1841 (2011-03-10)

Mojolicious is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by link_to helper. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2010-4803 (2011-05-03)

Mojolicious before 0.999927 does not properly implement HMAC-MD5 checksums, which has unspecified impact and remote attack vectors.

CVE-2011-1841 (2011-05-03)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

NAME

Mojo::Server::Daemon - Async IO HTTP 1.1 And WebSocket Server

SYNOPSIS

use Mojo::Server::Daemon;

my $daemon = Mojo::Server::Daemon->new;
$daemon->listen('http://*:8080');
$daemon->run;

DESCRIPTION

Mojo::Server::Daemon is a full featured async io HTTP 1.1 and WebSocket server with IPv6, TLS, epoll, kqueue, hot deployment and UNIX domain socket sharing support.

Optional modules IO::KQueue, IO::Epoll, IO::Socket::INET6 and IO::Socket::SSL are supported transparently and used if installed.

ATTRIBUTES

Mojo::Server::Daemon inherits all attributes from Mojo::Server and implements the following new ones.

`group`

my $group = $daemon->group;
$daemon   = $daemon->group('users');

`ioloop`

my $loop = $daemon->ioloop;
$daemon  = $daemon->ioloop(Mojo::IOLoop->new);

`keep_alive_timeout`

my $keep_alive_timeout = $daemon->keep_alive_timeout;
$daemon                = $daemon->keep_alive_timeout(15);

`listen`

my $listen = $daemon->listen;
$daemon    = $daemon->listen('https:localhost:3000,file:/my.sock');

`listen_queue_size`

my $listen_queue_size = $daemon->listen_queue_zise;
$daemon               = $daemon->listen_queue_zise(128);

`lock_file`

my $lock_file = $daemon->lock_file;
$daemon       = $daemon->lock_file('/tmp/mojo_daemon.lock');

`max_clients`

my $max_clients = $daemon->max_clients;
$daemon         = $daemon->max_clients(1000);

`max_keep_alive_requests`

my $max_keep_alive_requests = $daemon->max_keep_alive_requests;
$daemon                     = $daemon->max_keep_alive_requests(100);

`pid_file`

my $pid_file = $daemon->pid_file;
$daemon      = $daemon->pid_file('/tmp/mojo_daemon.pid');

`silent`

my $silent = $daemon->silent;
$daemon    = $daemon->silent(1);

`user`

my $user = $daemon->user;
$daemon  = $daemon->user('web');

`websocket_timeout`

my $websocket_timeout = $server->websocket_timeout;
$server               = $server->websocket_timeout(300);

Timeout in seconds for WebSockets to be idle, defaults to 300.

METHODS

Mojo::Server::Daemon inherits all methods from Mojo::Server and implements the following new ones.

`accept_lock`

my $lock = $daemon->accept_lock($blocking);

`accept_unlock`

$daemon->accept_unlock;

`prepare_ioloop`

$daemon->prepare_ioloop;

`prepare_lock_file`

$daemon->prepare_lock_file;

`prepare_pid_file`

$daemon->prepare_pid_file;

`run`

$daemon->run;

`setuidgid`

$daemon->setuidgid;

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

ATTRIBUTES

group

ioloop

keep_alive_timeout

listen

listen_queue_size

lock_file

max_clients

max_keep_alive_requests

pid_file

silent

user

websocket_timeout

METHODS

accept_lock

accept_unlock

prepare_ioloop

prepare_lock_file

prepare_pid_file

run

setuidgid

SEE ALSO

Module Install Instructions

Keyboard Shortcuts