Security Advisories (13)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CVE-2010-4802 (2011-05-03)

Commands.pm in Mojolicious before 0.999928 does not properly perform CGI environment detection, which has unspecified impact and remote attack vectors.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CVE-2011-1841 (2011-03-10)

Mojolicious is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by link_to helper. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2010-4803 (2011-05-03)

Mojolicious before 0.999927 does not properly implement HMAC-MD5 checksums, which has unspecified impact and remote attack vectors.

CVE-2011-1841 (2011-05-03)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

NAME

Mojolicious::Controller - Controller Base Class

SYNOPSIS

use base 'Mojolicious::Controller';

DESCRIPTION

Mojolicous::Controller is the base class for your Mojolicious controllers. It is also the default controller class for Mojolicious unless you set controller_class in your application.

ATTRIBUTES

Mojolicious::Controller inherits all attributes from MojoX::Dispatcher::Routes::Controller.

METHODS

Mojolicious::Controller inherits all methods from MojoX::Dispatcher::Routes::Controller and implements the following new ones.

`client`

my $client = $c->client;

A Mojo::Client prepared for the current environment.

`finish`

$c->finish;

Similar to resume but will also trigger automatic rendering and the after_dispatch plugin hook, which would normally get disabled once a request gets paused. For WebSockets it will gracefully end the connection.

`helper`

$c->helper('foo');
$c->helper(foo => 23);

Directly call a Mojolicious helper, see Mojolicious::Plugin::DefaultHelpers for a list of helpers that are always available.

`pause`

$c->pause;

Pause transaction associated with this request, used for asynchronous web applications. Note that automatic rendering and some plugins that do state changing operations inside the after_dispatch hook won't work if you pause a transaction.

`receive_message`

$c->receive_message(sub {...});

Receive messages via WebSocket, only works if there is currently a WebSocket connection in progress.

$c->receive_message(sub {
    my ($self, $message) = @_
});

`redirect_to`

$c = $c->redirect_to('named');
$c = $c->redirect_to('named', foo => 'bar');
$c = $c->redirect_to('/path');
$c = $c->redirect_to('http://127.0.0.1/foo/bar');

Prepare a redirect response.

`render`

$c->render;
$c->render(controller => 'foo', action => 'bar');
$c->render({controller => 'foo', action => 'bar'});
$c->render(text => 'Hello!');
$c->render(template => 'index');
$c->render(template => 'foo/index');
$c->render(template => 'index', format => 'html', handler => 'epl');
$c->render(handler => 'something');
$c->render('foo/bar');
$c->render('foo/bar', format => 'html');
$c->render('foo/bar', {format => 'html'});

This is a wrapper around MojoX::Renderer exposing pretty much all functionality provided by it. It will set a default template to use based on the controller and action name or fall back to the route name. You can call it with a hash of options which can be preceded by an optional template name.

`render_exception`

$c->render_exception($e);

Render the exception template exception.html.$handler. Will set the status code to 500 meaning Internal Server Error. Takes a Mojo::Exception object and will fall back to a rendering a static 500 page using MojoX::Renderer::Static.

`render_inner`

my $output = $c->render_inner;
my $output = $c->render_inner('content');
my $output = $c->render_inner(content => 'Hello world!');

Contains partial rendered templates, used for the renderers layout and extends features.

`render_json`

$c->render_json({foo => 'bar'});
$c->render_json([1, 2, -3]);

Render a data structure as JSON.

`render_not_found`

$c->render_not_found;

Render the not found template not_found.html.$handler. Also sets the response status code to 404, will fall back to a rendering a static 404 page using MojoX::Renderer::Static.

`render_partial`

my $output = $c->render_partial;
my $output = $c->render_partial(action => 'foo');

Same as render but returns the rendered result.

`render_static`

$c->render_static('images/logo.png');

Render a static asset using MojoX::Dispatcher::Static.

`render_text`

$c->render_text('Hello World!');
$c->render_text('Hello World', layout => 'green');

Render the givent content as plain text.

`resume`

$c->resume;

Resume transaction associated with this request, used for asynchronous web applications.

`send_message`

$c->send_message('Hi there!');

Send a message via WebSocket, only works if there is currently a WebSocket connection in progress.

`url_for`

my $url = $c->url_for;
my $url = $c->url_for(controller => 'bar', action => 'baz');
my $url = $c->url_for('named', controller => 'bar', action => 'baz');

Generate a Mojo::URL for the current or a named route.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

ATTRIBUTES

METHODS

client

finish

helper

pause

receive_message

redirect_to

render

render_exception

render_inner

render_json

render_not_found

render_partial

render_static

render_text

resume

send_message

url_for

SEE ALSO

Module Install Instructions

Keyboard Shortcuts