Security Advisories (13)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CVE-2010-4802 (2011-05-03)

Commands.pm in Mojolicious before 0.999928 does not properly perform CGI environment detection, which has unspecified impact and remote attack vectors.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CVE-2011-1841 (2011-03-10)

Mojolicious is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by link_to helper. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2010-4803 (2011-05-03)

Mojolicious before 0.999927 does not properly implement HMAC-MD5 checksums, which has unspecified impact and remote attack vectors.

CVE-2011-1841 (2011-05-03)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

NAME

Mojo::URL - Uniform Resource Locator

SYNOPSIS

use Mojo::URL;

# Parse
my $url = Mojo::URL->new(
    'http://sri:foobar@kraih.com:3000/foo/bar?foo=bar#23'
);
print $url->scheme;
print $url->userinfo;
print $url->host;
print $url->port;
print $url->path;
print $url->query;
print $url->fragment;

# Build
my $url = Mojo::URL->new;
$url->scheme('http');
$url->userinfo('sri:foobar');
$url->host('kraih.com');
$url->port(3000);
$url->path->parts(qw/foo bar/);
$url->query->params(foo => 'bar');
$url->fragment(23);
print "$url";

DESCRIPTION

Mojo::URL implements a subset of RFC 3986 for Uniform Resource Locators.

ATTRIBUTES

Mojo::URL implements the following attributes.

`authority`

my $authority = $url->autority;
$url          = $url->authority('root:pass%3Bw0rd@localhost:8080');

`base`

my $base = $url->base;
$url     = $url->base(Mojo::URL->new);

`fragment`

my $fragment = $url->fragment;
$url         = $url->fragment('foo');

`host`

my $host = $url->host;
$url     = $url->host('127.0.0.1');

`port`

my $port = $url->port;
$url     = $url->port(8080);

`scheme`

my $scheme = $url->scheme;
$url       = $url->scheme('http');

`userinfo`

my $userinfo = $url->userinfo;
$url         = $url->userinfo('root:pass%3Bw0rd');

METHODS

Mojo::URL inherits all methods from Mojo::Base and implements the following new ones.

`new`

my $url = Mojo::URL->new;
my $url = Mojo::URL->new('http://127.0.0.1:3000/foo?f=b&baz=2#foo');

`clone`

my $url2 = $url->clone;

`ihost`

my $ihost = $url->ihost;
$url      = $url->ihost('xn--bcher-kva.ch');

`is_abs`

my $is_abs = $url->is_abs;

`parse`

$url = $url->parse('http://127.0.0.1:3000/foo/bar?fo=o&baz=23#foo');

`path`

my $path = $url->path;
$url     = $url->path('/foo/bar');
$url     = $url->path(Mojo::Path->new);

`query`

my $query = $url->query;
$url      = $url->query(name => 'value');
$url      = $url->query([name => 'value']);
$url      = $url->query(Mojo::Parameters->new);

`to_abs`

my $abs = $url->to_abs;
my $abs = $url->to_abs(Mojo::URL->new('http://kraih.com/foo'));

`to_rel`

my $rel = $url->to_rel;
my $rel = $url->to_rel(Mojo::URL->new('http://kraih.com/foo'));

`to_string`

my $string = $url->to_string;

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

ATTRIBUTES

authority

base

fragment

host

port

scheme

userinfo

METHODS

new

clone

ihost

is_abs

parse

path

query

to_abs

to_rel

to_string

SEE ALSO

Module Install Instructions

Keyboard Shortcuts