/ 
Mojolicious-0.999941
⭐ Starred 2674
/ Mojolicious::Guides::Cookbook
Security Advisories (12)
CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2011-1841 (2011-03-10)

Mojolicious is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by link_to helper. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2011-1841 (2011-05-03)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

NAME

Mojolicious::Guides::Cookbook - Cookbook

OVERVIEW

Cooking with Mojolicious, recipes for every taste.

DEPLOYMENT

Getting Mojolicious and Mojolicious::Lite applications running on different platforms.

Builtin Server

Mojolicious contains a very portable HTTP 1.1 compliant web server. It is usally used during development but is solid and fast enough for small to mid sized applications.

% ./script/myapp daemon
Server available at http://127.0.0.1:3000.

It has many configuration options and is known to work on every platform Perl works on.

% ./script/myapp help daemon
...List of available options...

Another huge advantage is that it supports TLS and WebSockets out of the box.

% ./script/myapp daemon --listen https://*:3000
Server available at https://*:3000.

A development certificate for testing purposes is built right in, so it just works.

Apache/CGI

CGI is supported out of the box and your Mojolicious application will automatically detect that it is executed as a CGI script.

<VirtualHost *:80>
    ServerName localhost
    DocumentRoot /home/sri/myapp/public

    ScriptAlias /myapp "/home/sri/myapp/script/myapp"
</VirtualHost>

Apache/FastCGI

FastCGI is also supported out of the box and your Mojolicious application will automatically detect that it is executed as a FastCGI script.

<VirtualHost *:80>
    ServerName localhost
    DocumentRoot /home/sri/myapp/public

    FastCgiServer /home/sri/myapp/script/myapp -processes 10
    Alias /myapp /home/sri/myapp/script/myapp
</VirtualHost>

PSGI/Plack

PSGI is an interface between Perl web frameworks and web servers, and Plack is a Perl module and toolkit that contains PSGI middleware, helpers and adapters to web servers. PSGI and Plack are inspired by Python's WSGI and Ruby's Rack. Mojolicious applications are ridiculously simple to deploy with Plack.

% plackup ./script/myapp
HTTP::Server::PSGI: Accepting connections at http://0:5000/

Plack provides many server and protocol adapters for you to choose from such as FCGI, SCGI and mod_perl. Make sure to run plackup from your applications home directory, otherwise libraries might not be found.

% plackup ./script/myapp -s FCGI -l /tmp/myapp.sock

Because plackup uses a weird trick to load your script, Mojolicious is not always able to detect the applications home directory, if thats the case you can simply use the MOJO_HOME environment variable. Also note that app->start needs to be the last Perl statement in the application script for the same reason.

% MOJO_HOME=/home/sri/myapp plackup ./script/myapp
HTTP::Server::PSGI: Accepting connections at http://0:5000/

Some server adapters might ask for a .psgi file, if thats the case you can just point them at your application script because it will automatically act like one if it detects the presence of a PLACK_ENV environment variable.

Apache/mod_perl (PSGI/Plack)

mod_perl is a good example for a PSGI adapter that is used without plackup, note that setting the PLACK_ENV environment variable is required for Mojolicious PSGI detection.

<VirtualHost *:80>
    ServerName localhost
    DocumentRoot /home/sri/myapp/public

    <Perl>
        $ENV{PLACK_ENV} = 'production';
        $ENV{MOJO_HOME} = '/home/sri/myapp';
    </Perl>

    <Location /myapp>
        SetHandler perl-script
        PerlHandler Plack::Handler::Apache2
        PerlSetVar psgi_app /home/sri/myapp/script/myapp
    </Location>
</VirtualHost>

IIS6.0/FastCGI

We don't suggest using IIS, it is a horribly broken web server, avoid it if you can. There is nothing we can do to make this a pleasant experience for you, but maybe we can at least ease some of the pain.

First you should make sure to get recent versions of Strawberry Perl and Mojolicious installed, Strawberry is as good as a Windows version of Perl can be.

Then you'll have to install IIS 6.0 and its FastCGI extension, which is not part of the standard installation. Create a new website with Control Panel > Administrative Tools > Internet Information Services Manager > Action > New > Web Site and finish the installation wizard.

Open your newly created websites properties and select the tab Web Site. Set the proper values for Site Description, IP Address, TCP Port, SSL Port etc.

On the tab Home Directory set Local Path to c:\myapp\public, Local Path Permission Flags to Read and Log Visits, Execute Permissions to Scripts Only.

Click on the Configuration button and then Insert (next to Wildcard Application Mappings). In the next dialog set Executable to c:\windows\system32\inetsrv\fcgiext.dll and uncheck Verify That Files Exist.

Now put the following lines into c:\windows\system32\inetsrv\fcgiext.ini or c:\windows\syswow64\inetsrv\fcgiext.ini on 64-bit systems.

[Types]
*=MyApp

[MyApp]
ExePath=c:\strawberry\perl\bin\perl.exe
Arguments="c:\myapp\script\myapp fastcgi"

; Let IIS serve static files
IgnoreExistingFiles=0
IgnoreDirectories=1

There is one more thing, IIS sometimes clears your environment variables but Windows won't work without SYSTEMROOT, so you might have to set it manually in your application.

# Application
package MyApp;
use base 'Mojolicious';

sub startup {
    my $self = shift;

    # Use event hook to set environment variable for every request
    $self->hook(
        before_dispatch => sub { $ENV{SYSTEMROOT} = 'c:\\winnt' }
    );
}

1;

FUN

Hacks that might not be very useful but are fun! :)

Hello World

If every byte matters this is the smallest Hello World application you can write with Mojolicious::Lite.

use Mojolicious::Lite;
get '/' => {text => 'Hello World!'};
app->start;

It works because automatic rendering kicks in even if no actual code gets executed by the router, the renderer just picks up the text value from the stash and generates a response.