Security Advisories (13)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CVE-2010-4802 (2011-05-03)

Commands.pm in Mojolicious before 0.999928 does not properly perform CGI environment detection, which has unspecified impact and remote attack vectors.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CVE-2011-1841 (2011-03-10)

Mojolicious is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by link_to helper. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2011-1841 (2011-05-03)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojo::Client - Async IO HTTP 1.1 And WebSocket Client

SYNOPSIS

use Mojo::Client;
my $client = Mojo::Client->new;

# Grab the latest Mojolicious release :)
my $latest = 'http://mojolicious.org/Mojolicious-latest.tar.gz';
print $client->get($latest)->res->body;

# Quick JSON request
my $trends = 'http://search.twitter.com/trends.json';
print $client->get($trends)->res->json->{trends}->[0]->{name};

# Extract data from HTML and XML resources
print $client->get('mojolicious.org')->res->dom->at('title')->text;

# Scrape the latest headlines from a news site
my $news = 'http://digg.com';
$client->get($news)->res->dom->find("h3 > a.offsite")->each(sub {
    print shift->text . "\n";
});

# Form post with exception handling
my $cpan   = 'http://search.cpan.org/search';
my $search = {q => 'mojo'};
my $tx     = $client->post_form($cpan => $search);
if (my $res = $tx->success) { print $res->body }
else {
    my ($message, $code) = $tx->error;
    print "Error: $message";
}

# Parallel requests
my $callback = sub { print shift->res->body };
$client->get('http://mojolicious.org' => $callback);
$client->get('http://search.cpan.org' => $callback);
$client->process;

# Websocket request
$client->websocket(
    'ws://websockets.org:8787' => sub {
        my $client = shift;
        $client->receive_message(
            sub {
                my ($client, $message) = @_;
                print "$message\n";
                $client->finish;
            }
        );
        $client->send_message('hi there!');
    }
)->process;

DESCRIPTION

Mojo::Client is a full featured async io HTTP 1.1 and WebSocket client with IPv6, TLS, epoll and kqueue support.

Optional modules IO::KQueue, IO::Epoll, IO::Socket::INET6 and IO::Socket::SSL are supported transparently and used if installed.

ATTRIBUTES

Mojo::Client implements the following attributes.

`app`

my $app = $client->app;
$client = $client->app(MyApp->new);

A Mojo application to associate this client with. If set, local requests will be processed in this application.

`cookie_jar`

my $cookie_jar = $client->cookie_jar;
$client        = $client->cookie_jar(Mojo::CookieJar->new);

Cookie jar to use for this clients requests, by default a Mojo::CookieJar object.

`http_proxy`

my $proxy = $client->http_proxy;
$client   = $client->http_proxy('http://sri:secret@127.0.0.1:8080');

Proxy server to use for HTTP and WebSocket requests.

`https_proxy`

my $proxy = $client->https_proxy;
$client   = $client->https_proxy('http://sri:secret@127.0.0.1:8080');

Proxy server to use for HTTPS and WebSocket requests.

`ioloop`

my $loop = $client->ioloop;
$client  = $client->ioloop(Mojo::IOLoop->new);

Loop object to use for io operations, by default a Mojo::IOLoop object will be used.

`keep_alive_timeout`

my $keep_alive_timeout = $client->keep_alive_timeout;
$client                = $client->keep_alive_timeout(15);

Timeout in seconds for keep alive between requests, defaults to 15.

`log`

my $log = $client->log;
$client = $client->log(Mojo::Log->new);

A Mojo::Log object used for logging, by default the application log will be used.

`max_keep_alive_connections`

my $max_keep_alive_connections = $client->max_keep_alive_connections;
$client                        = $client->max_keep_alive_connections(5);

Maximum number of keep alive connections that the client will retain before it starts closing the oldest cached ones, defaults to 5.

`max_redirects`

my $max_redirects = $client->max_redirects;
$client           = $client->max_redirects(3);

Maximum number of redirects the client will follow before it fails, defaults to 0.

`tls_ca_file`

my $tls_ca_file = $client->tls_ca_file;
$client         = $client->tls_ca_file('/etc/tls/cacerts.pem');

TLS certificate authority file to use, defaults to the MOJO_CA_FILE environment variable. Note that IO::Socket::SSL must be installed for HTTPS support.

`tls_verify_cb`

my $tls_verify_cb = $client->tls_verify_cb;
$client           = $client->tls_verify_cb(sub {...});

Callback to verify your TLS connection, by default the client will accept most certificates. Note that IO::Socket::SSL must be installed for HTTPS support.

`tx`

$client->tx;

The last finished transaction, only available from callbacks.

`websocket_timeout`

my $websocket_timeout = $client->websocket_timeout;
$client               = $client->websocket_timeout(300);

Timeout in seconds for WebSockets to be idle, defaults to 300.

METHODS

Mojo::Client inherits all methods from Mojo::Base and implements the following new ones.

`new`

my $client = Mojo::Client->new;

Construct a new Mojo::Client object. Use singleton if you want to share keep alive connections with other clients.

`async`

my $async = $client->async;

Clone client instance and start using the global shared Mojo::IOLoop singleton if it is running. Note that all cloned clients have their own keep alive connection queue, so you can quickly run out of file descriptors with too many active clients.

`build_form_tx`

my $tx = $client->build_form_tx('http://kraih.com/foo' => {test => 123});
my $tx = $client->build_form_tx(
    'http://kraih.com/foo',
    'UTF-8',
    {test => 123}
);
my $tx = $client->build_form_tx(
    'http://kraih.com/foo',
    {test => 123},
    {Expect => 'fun'}
);
my $tx = $client->build_form_tx(
    'http://kraih.com/foo',
    'UTF-8',
    {test => 123},
    {Expect => 'fun'}
);
my $tx = $client->build_form_tx(
    'http://kraih.com/foo',
    {file => {file => '/foo/bar.txt'}}
);
my $tx = $client->build_form_tx(
    'http://kraih.com/foo',
    {file => {content => 'lalala'}}
);
my $tx = $client->build_form_tx(
    'http://kraih.com/foo',
    {myzip => {file => $asset, filename => 'foo.zip'}}
);

Versatile transaction builder for forms.

my $tx = $client->build_form_tx('http://kraih.com/foo' => {test => 123});
$tx->res->body(sub { print $_[1] });
$client->process($tx);

`build_tx`

my $tx = $client->build_tx(GET => 'mojolicious.org');
my $tx = $client->build_tx(POST => 'http://mojolicious.org');
my $tx = $client->build_tx(
    GET => 'http://kraih.com' => {Connection => 'close'}
);
my $tx = $client->build_tx(
    POST => 'http://kraih.com' => {Connection => 'close'} => 'Hi!'
);

Versatile general purpose transaction builder.

# Streaming response
my $tx = $client->build_tx(GET => 'http://mojolicious.org');
$tx->res->body(sub { print $_[1] });
$client->process($tx);

# Custom socket
my $tx = $client->build_tx(GET => 'http://mojolicious.org');
$tx->connection($socket);
$client->process($tx);

`build_websocket_tx`

my $tx = $client->build_websocket_tx('ws://localhost:3000');

WebSocket transaction builder.

`clone`

my $clone = $client->clone;

Clone client the instance. Note that all cloned clients have their own keep alive connection queue, so you can quickly run out of file descriptors with too many active clients.

`delete`

my $tx  = $client->delete('http://kraih.com');
my $tx  = $client->delete('http://kraih.com' => {Connection => 'close'});
my $tx  = $client->delete(
    'http://kraih.com' => {Connection => 'close'} => 'Hi!'
);
$client = $client->delete('http://kraih.com' => sub {...});
$client = $client->delete(
    'http://kraih.com' => {Connection => 'close'} => sub {...}
);
$client = $client->delete(
    'http://kraih.com' => {Connection => 'close'} => 'Hi!' => sub {...}
);

Send a HTTP DELETE request.

`detect_proxy`

$client = $client->detect_proxy;

Check environment variables for proxy information.

`finish`

$client->finish;

Finish the WebSocket connection, only available from callbacks.

`finished`

$client->finished(sub {...});

Callback signaling that peer finished the WebSocket connection, only available from callbacks.

$client->finished(sub {
    my $client = shift;
});

`get`

my $tx  = $client->get('http://kraih.com');
my $tx  = $client->get('http://kraih.com' => {Connection => 'close'});
my $tx  = $client->get(
    'http://kraih.com' => {Connection => 'close'} => 'Hi!'
);
$client = $client->get('http://kraih.com' => sub {...});
$client = $client->get(
    'http://kraih.com' => {Connection => 'close'} => sub {...}
);
$client = $client->get(
    'http://kraih.com' => {Connection => 'close'} => 'Hi!' => sub {...}
);

Send a HTTP GET request.

`head`

my $tx  = $client->head('http://kraih.com');
my $tx  = $client->head('http://kraih.com' => {Connection => 'close'});
my $tx  = $client->head(
    'http://kraih.com' => {Connection => 'close'} => 'Hi!'
);
$client = $client->head('http://kraih.com' => sub {...});
$client = $client->head(
    'http://kraih.com' => {Connection => 'close'} => sub {...}
);
$client = $client->head(
    'http://kraih.com' => {Connection => 'close'} => 'Hi!' => sub {...}
);

Send a HTTP HEAD request.

`post`

my $tx  = $client->post('http://kraih.com');
my $tx  = $client->post('http://kraih.com' => {Connection => 'close'});
my $tx  = $client->post(
    'http://kraih.com' => {Connection => 'close'} => 'Hi!'
);
$client = $client->post('http://kraih.com' => sub {...});
$client = $client->post(
    'http://kraih.com' => {Connection => 'close'} => sub {...}
);
$client = $client->post(
    'http://kraih.com',
    {Connection => 'close'},
    'message body',
    sub {...}
);
$client = $client->post(
    'http://kraih.com' => {Connection => 'close'} => 'Hi!' => sub {...}
);

Send a HTTP POST request.

`post_form`

my $tx  = $client->post_form('http://kraih.com/foo' => {test => 123});
my $tx  = $client->post_form(
    'http://kraih.com/foo'
    'UTF-8',
    {test => 123}
);
my $tx  = $client->post_form(
    'http://kraih.com/foo',
    {test => 123},
    {Expect => 'fun'}
);
my $tx  = $client->post_form(
    'http://kraih.com/foo',
    'UTF-8',
    {test => 123},
    {Expect => 'fun'}
);
my $tx = $client->post_form(
    'http://kraih.com/foo',
    {file => {file => '/foo/bar.txt'}}
);
my $tx= $client->post_form(
    'http://kraih.com/foo',
    {file => {content => 'lalala'}}
);
my $tx = $client->post_form(
    'http://kraih.com/foo',
    {myzip => {file => $asset, filename => 'foo.zip'}}
);
$client = $client->post_form('/foo' => {test => 123}, sub {...});
$client = $client->post_form(
    'http://kraih.com/foo',
    'UTF-8',
    {test => 123},
    sub {...}
);
$client = $client->post_form(
    'http://kraih.com/foo',
    {test => 123},
    {Expect => 'fun'},
    sub {...}
);
$client = $client->post_form(
    'http://kraih.com/foo',
    'UTF-8',
    {test => 123},
    {Expect => 'fun'},
    sub {...}
);
$client = $client->post_form(
    'http://kraih.com/foo',
    {file => {file => '/foo/bar.txt'}},
    sub {...}
);
$client = $client->post_form(
    'http://kraih.com/foo',
    {file => {content => 'lalala'}},
    sub {...}
);
$client = $client->post_form(
    'http://kraih.com/foo',
    {myzip => {file => $asset, filename => 'foo.zip'}},
    sub {...}
);

Send a HTTP POST request with form data.

`process`

$client = $client->process;
$client = $client->process(@transactions);
$client = $client->process(@transactions => sub {...});

Process all queued transactions. Will be blocking unless you have a global shared ioloop and use the async method.

`put`

my $tx  = $client->put('http://kraih.com');
my $tx  = $client->put('http://kraih.com' => {Connection => 'close'});
my $tx  = $client->put(
    'http://kraih.com' => {Connection => 'close'} => 'Hi!'
);
$client = $client->put('http://kraih.com' => sub {...});
$client = $client->put(
    'http://kraih.com' => {Connection => 'close'} => sub {...}
);
$client = $client->put(
    'http://kraih.com' => {Connection => 'close'} => 'Hi!' => sub {...}
);

Send a HTTP PUT request.

`queue`

$client = $client->queue(@transactions);
$client = $client->queue(@transactions => sub {...});

Queue a list of transactions for processing.

`receive_message`

$client = $client->receive_message(sub {...});

Receive messages via WebSocket, only available from callbacks.

$client->receive_message(sub {
    my ($client, $message) = @_;
});

`req`

my $req = $client->req;

The request object of the last finished transaction, only available from callbacks.

`res`

my $res = $client->res;

The response object of the last finished transaction, only available from callbacks.

`singleton`

my $client = Mojo::Client->singleton;

The global client object, used to access a single shared client instance from everywhere inside the process.

`send_message`

$client = $client->send_message('Hi there!');

Send a message via WebSocket, only available from callbacks.

`test_server`

my $port = $client->test_server;

Starts a test server for app if neccessary and returns the port number. Note that this method is EXPERIMENTAL and might change without warning!

`websocket`

$client = $client->websocket('ws://localhost:3000' => sub {...});
$client = $client->websocket(
    'ws://localhost:3000' => {'User-Agent' => 'Agent 1.0'} => sub {...}
);

Open a WebSocket connection with transparent handshake.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

ATTRIBUTES

app

cookie_jar

http_proxy

https_proxy

ioloop

keep_alive_timeout

log

max_keep_alive_connections

max_redirects

tls_ca_file

tls_verify_cb

tx

websocket_timeout

METHODS

new

async

build_form_tx

build_tx

build_websocket_tx

clone

delete

detect_proxy

finish

finished

get

head

post

post_form

process

put

queue

receive_message

req

res

singleton

send_message

test_server

websocket

SEE ALSO

Module Install Instructions

Keyboard Shortcuts