/ 
Mojolicious-0.999927
⭐ Starred 2674
/ Mojo::IOLoop
Security Advisories (13)
CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CVE-2010-4802 (2011-05-03)

Commands.pm in Mojolicious before 0.999928 does not properly perform CGI environment detection, which has unspecified impact and remote attack vectors.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2011-1841 (2011-03-10)

Mojolicious is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by link_to helper. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2011-1841 (2011-05-03)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojo::IOLoop - Minimalistic Reactor For TCP Clients And Servers

SYNOPSIS

use Mojo::IOLoop;

# Create loop
my $loop = Mojo::IOLoop->new;

# Listen on port 3000
$loop->listen(
    port => 3000,
    read_cb => sub {
        my ($self, $id, $chunk) = @_;

        # Process input
        print $chunk;

        # Got some data, time to write
        $self->write($id, 'HTTP/1.1 200 OK');
    }
);

# Connect to port 3000 with TLS activated
my $id = $loop->connect(
    address => 'localhost',
    port => 3000,
    tls => 1,
    connect_cb => sub {
        my ($self, $id) = @_;

        # Write request
        $self->write($id, "GET / HTTP/1.1\r\n\r\n");
    },
    read_cb => sub {
        my ($self, $id, $chunk) = @_;

        # Process input
        print $chunk;
    }
);

# Add a timer
$loop->timer(5 => sub {
    my $self = shift;
    $self->drop($id);
});

# Start and stop loop
$loop->start;
$loop->stop;

DESCRIPTION

Mojo::IOLoop is a very minimalistic reactor that has been reduced to the absolute minimal feature set required to build solid and scalable TCP clients and servers.

Optional modules IO::KQueue, IO::Epoll, IO::Socket::INET6 and IO::Socket::SSL are supported transparently and used if installed.

A TLS certificate and key are also built right in to make writing test servers as easy as possible.

ATTRIBUTES

Mojo::IOLoop implements the following attributes.

accept_timeout

my $timeout = $loop->accept_timeout;
$loop       = $loop->accept_timeout(5);

Maximum time in seconds a connection can take to be accepted before being dropped, defaults to 5.

connect_timeout

my $timeout = $loop->connect_timeout;
$loop       = $loop->connect_timeout(5);

Maximum time in seconds a conenction can take to be connected before being dropped, defaults to 5.

idle_cb

my $cb = $loop->idle_cb;
$loop  = $loop->idle_cb(sub {...});

Callback to be invoked on every reactor tick if no events occurred. Note that this attribute is EXPERIMENTAL and might change without warning!

lock_cb

my $cb = $loop->lock_cb;
$loop  = $loop->lock_cb(sub {...});

A locking callback that decides if this loop is allowed to accept new incoming connections, used to sync multiple server processes. The callback should return true or false. Note that exceptions in this callback are not captured.

$loop->lock_cb(sub {
    my ($loop, $blocking) = @_;

    # Got the lock, listen for new connections
    return 1;
});

max_connections

my $max = $loop->max_connections;
$loop   = $loop->max_connections(1000);

The maximum number of connections this loop is allowed to handle before stopping to accept new incoming connections, defaults to 1000. Setting the value to 0 will make this loop stop accepting new connections and allow it to shutdown gracefully without interrupting existing connections.

tick_cb

my $cb = $loop->tick_cb;
$loop  = $loop->tick_cb(sub {...});

Callback to be invoked on every reactor tick, this for example allows you to run multiple reactors next to each other.

my $loop2 = Mojo::IOLoop->new(timeout => 0);
Mojo::IOLoop->singleton->tick_cb(sub { $loop2->one_tick });

Note that the loop timeout can be changed dynamically at any time to adjust responsiveness.

timeout

my $timeout = $loop->timeout;
$loop       = $loop->timeout(5);

Maximum time in seconds our loop waits for new events to happen, defaults to 0.25. Note that a value of 0 would make the loop non blocking.

unlock_cb

my $cb = $loop->unlock_cb;
$loop  = $loop->unlock_cb(sub {...});

A callback to free the accept lock, used to sync multiple server processes. Note that exceptions in this callback are not captured.

METHODS

Mojo::IOLoop inherits all methods from Mojo::Base and implements the following new ones.

new

my $loop = Mojo::IOLoop->new;

Construct a new Mojo::IOLoop object. Multiple of these will block each other, so use singleton instead if possible.

connect

my $id = $loop->connect(
    address => '127.0.0.1',
    port    => 3000
);
my $id = $loop->connect({
    address => '[::1]',
    port    => 443,
    tls     => 1
});

Open a TCP connection to a remote host, IPv6 will be used automatically if available. Note that IPv6 support depends on IO::Socket::INET6 and TLS support on IO::Socket::SSL.

These options are currently available.

address

Address or host name of the peer to connect to.

connect_cb

Callback to be invoked once the connection is established.

error_cb

Callback to be invoked if an error event happens on the connection.

hup_cb

Callback to be invoked if the connection gets closed.

port

Port to connect to.

read_cb

Callback to be invoked if new data arrives on the connection.

socket

Use an already prepared socket handle.

tls

Enable TLS.

tls_ca_file

CA file to use for TLS.

tls_verify_cb

Callback to invoke for TLS verification.

connection_timeout

my $timeout = $loop->connection_timeout($id);
$loop       = $loop->connection_timeout($id => 45);

Maximum amount of time in seconds a connection can be inactive before being dropped.

drop

$loop = $loop->drop($id);

Drop a connection, listen socket or timer. Connections will be dropped gracefully by allowing them to finish writing all data in it's write buffer.

error_cb

$loop = $loop->error_cb($id => sub {...});

Callback to be invoked if an error event happens on the connection.

generate_port

my $port = $loop->generate_port;

Find a free TCP port, this is a utility function primarily used for tests.

hup_cb

$loop = $loop->hup_cb($id => sub {...});

Callback to be invoked if the connection gets closed.

is_running

my $running = $loop->is_running;

Check if loop is running.

exit unless Mojo::IOLoop->singleton->is_running;

listen

my $id = $loop->listen(port => 3000);
my $id = $loop->listen({port => 3000});
my $id = $loop->listen(file => '/foo/myapp.sock');
my $id = $loop->listen(
    port     => 443,
    tls      => 1,
    tls_cert => '/foo/server.cert',
    tls_key  => '/foo/server.key'
);

Create a new listen socket, IPv6 will be used automatically if available. Note that IPv6 support depends on IO::Socket::INET6 and TLS support on IO::Socket::SSL.

These options are currently available.

address

Local address to listen on, defaults to all.

accept_cb

Callback to invoke for each accepted connection.

error_cb

Callback to be invoked if an error event happens on the connection.

file

A unix domain socket to listen on.

hup_cb

Callback to be invoked if the connection gets closed.

port

Port to listen on.

queue_size

Maximum queue size, defaults to SOMAXCONN.

read_cb

Callback to be invoked if new data arrives on the connection.

tls

Enable TLS.

tls_cert

Path to the TLS cert file, defaulting to a built in test certificate.

tls_key

Path to the TLS key file, defaulting to a built in test key.

local_info

my $info = $loop->local_info($id);

Get local information about a connection.

my $address = $info->{address};

These values are to be expected in the returned hash reference.

address

The local address.

port

The local port.

one_tick

$loop->one_tick;
$loop->one_tick('0.25');
$loop->one_tick(0);

Run reactor for exactly one tick.

read_cb

$loop = $loop->read_cb($id => sub {...});

Callback to be invoked if new data arrives on the connection.

$loop->read_cb($id => sub {
    my ($loop, $id, $chunk) = @_;

    # Process chunk
});

remote_info

my $info = $loop->remote_info($id);

Get remote information about a connection.

my $address = $info->{address};

These values are to be expected in the returned hash reference.

address

The remote address.

port

The remote port.

singleton

my $loop = Mojo::IOLoop->singleton;

The global loop object, used to access a single shared loop instance from everywhere inside the process.

start

$loop->start;

Start the loop, this will block until stop is called or return immediately if the loop is already running.

start_tls

my $id = $loop->start_tls($id);
my $id = $loop->start_tls($id => {tls_ca_file => '/etc/tls/cacerts.pem'});

Start new TLS connection inside old connection. Note that TLS support depends on IO::Socket::SSL.

These options are currently available.

tls_ca_file

CA file to use for TLS.

tls_verify_cb

Callback to invoke for TLS verification.

stop

$loop->stop;

Stop the loop immediately, this will not interrupt any existing connections and the loop can be restarted by running start again.

timer

my $id = $loop->timer(5 => sub {...});
my $id = $loop->timer(0.25 => sub {...});

Create a new timer, invoking the callback afer a given amount of seconds.

write

$loop->write($id => 'Hello!');
$loop->write($id => 'Hello!', sub {...});

Write data to connection, the optional drain callback will be invoked once all data has been written.

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicious.org.