/ 
Mojolicious-2.21
⭐ Starred 2674
/ Mojolicious::Guides::Cheatsheet
Security Advisories (10)
CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojolicious::Guides::Cheatsheet - Reference

OVERVIEW

This document contains a concise all-purpose reference.

RESERVED STASH VALUES

Besides everything prefixed with mojo. there are a few stash values that are reserved for routes and the renderer.

action

$r->route('/welcome')->to(action => 'hello');

Action to dispatch to.

app

$r->route('/welcome')->to(app => MyApp->new);

Embedded application to dispatch to.

cb

$r->route('/welcome')->to(cb => sub {...});

Callback to dispatch to.

class

$r->route('/welcome')->to(class => 'Greeting');

Camelized alternative to controller.

controller

$r->route('/welcome')->to(controller => 'greetings');

Controller to dispatch to.

data

$self->render(data => 'raw bytes');

Turn raw bytes into a response.

extends

$self->render(extends => 'template');

Template to extend.

format

$self->render(format => 'rss');

Format to render.

handler

$self->render(handler => 'ep');

Handler to use for rendering.

inline

$self->render(inline => '<%= 1 + 1%>');

Inline template to render.

json

$self->render(json => {foo => 23});

Turn Perl structure into JSON response.

layout

$self->render(layout => 'green');

Layout to render.

method

$r->route('/welcome')->to(method => 'hello');

Alternative to action.

namespace

$r->route('/welcome')->to(namespace => 'TestApp', method => 'lulz');

Namespace to dispatch to.

partial

my $result = $self->render(partial => 1);

Return rendering result instead of turning it into a response.

path

$r->route('/welcome')->to(path => '/test', app => MyApp->new);

Base path to use for dispatching to embedded applications.

status

$self->render(status => 404);

Status code to use for rendered response.

template

$self->render(template => 'bye');

Template to render.

text

$self->render(text => 'Hello World!');

Turn characters into a response.

ENVIRONMENT VARIABLES

Many parts of Mojolicious can be tuned with environment variables. Debug environment variables are excluded because they are for developer use only.

MOJO_APP

Decides which Mojolicious or Mojo application will be used, should always contain a class name like MyApp, usually defaults to Mojo::HelloWorld.

MOJO_APP=MyApp

MOJO_CA_FILE

The path to the TLS CA authority file, should always contain a path like /etc/tls/cacerts.pem. Note that IO::Socket::SSL must be installed for TLS support.

MOJO_CA_FILE=/etc/tls/cacerts.pem

MOJO_CERT_FILE

The path to the TLS certificate, should always contain a path like /etc/tls/client.crt. Note that IO::Socket::SSL must be installed for TLS support.

MOJO_CERT_FILE=/etc/tls/client.crt

MOJO_CHUNK_SIZE

Chunk size used for I/O operations in bytes, a bigger chunk size speeds up I/O operations but will also use more memory, defaults to 131072.

MOJO_CHUNK_SIZE=1024

MOJO_CONFIG

Config file to be used by Mojolicious::Plugin::Config and Mojolicious::Plugin::JSONConfig, quite useful for testing.

MOJO_CONFIG=myapp.conf

MOJO_DNS_SERVER

DNS server to use for non-blocking lookups.

MOJO_DNS_SERVER=8.8.8.8

MOJO_HOME

Home directory for the Mojolicious application, should always contain a path like /home/sri/myapp.

MOJO_HOME=/home/sri/myapp

MOJO_IOWATCHER

Alternative Mojo::IOWatcher implementation to try.

MOJO_IOWATCHER=Mojo::IOWatcher::EV

MOJO_KEY_FILE

The path to the TLS key, should always contain a path like /etc/tls/client.key. Note that IO::Socket::SSL must be installed for TLS support.

MOJO_KEY_FILE=/etc/tls/client.key

MOJO_LOG_LEVEL

Log level for the Mojolicious application, should contain a valid log level like debug or error.

MOJO_LOG_LEVEL=debug
MOJO_LOG_LEVEL=error

MOJO_MAX_LEFTOVER_SIZE

Maximum size in bytes of buffer for pipelined HTTP requests, defaults to 262144.

MOJO_MAX_LEFTOVER_SIZE=2048

MOJO_MAX_LINE_SIZE

Maximum line size for HTTP message start lines and headers in bytes, defaults to 10240.

MOJO_MAX_LINE_SIZE=2048

MOJO_MAX_MEMORY_SIZE

Maximum size in bytes for HTTP content to keep in memory, bigger content will be written to temporary files, defaults to 262144.

MOJO_MAX_MEMORY_SIZE=2048

MOJO_MAX_MESSAGE_SIZE

Maximum size for HTTP messages in bytes, defaults to 5242880.

MOJO_MAX_MESSAGE_SIZE=1024

MOJO_MAX_REDIRECTS

MOJO_MAX_REDIRECTS=3

Maximum number of redirects Mojo::UserAgent will follow, defaults to 0.

MOJO_MAX_WEBSOCKET_SIZE

Maximum size for WebSocket messages in bytes, defaults to 262144.

MOJO_MAX_WEBSOCKET_SIZE=1024

MOJO_MODE

Run mode for the Mojolicious application, should contain a valid mode like development or production.

MOJO_MODE=development
MOJO_MODE=production

MOJO_NO_BONJOUR

Disable Bonjour support. Note that Net::Rendezvous::Publish must be installed for Bonjour support.

MOJO_NO_BONJOUR=1

MOJO_NO_DETECT

Disable Mojolicious deployment environment detection.

MOJO_NO_DETECT=1

MOJO_NO_IPV6

Disable IPv6 support. Note that IO::Socket::IP must be installed for IPv6 support.

MOJO_NO_IPV6=1

MOJO_NO_RESOLVER

Disable non-blocking resolver support and fall back to blocking system resolver.

MOJO_NO_RESOLVER=1

MOJO_NO_TLS

Disable TLS support, this might result in slightly better performance and less memory use. Note that IO::Socket::SSL must be installed for TLS support.

MOJO_NO_TLS=1

MOJO_PROXY

Enable automatic HTTP and HTTPS proxy detection in Mojo::UserAgent, for security reasons this is disabled by default.

MOJO_PROXY=1

MOJO_REVERSE_PROXY

Enable reverse proxy support for Mojolicious application. This allows Mojolicious to automatically pick up the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-HTTPS headers.

MOJO_REVERSE_PROXY=1

MOJO_STATIC_CLASS

Class the Mojolicious static file dispatcher should use to find DATA templates, defaults to main.

MOJO_STATIC_CLASS=MyApp

MOJO_TEMPLATE_CLASS

Class the Mojolicious renderer should use to find DATA templates, defaults to main.

MOJO_TEMPLATE_CLASS=MyApp

MOJO_TMPDIR

Directory for temporary files like huge uploads, defaults to using a random platform specific temporary directory.

MOJO_TMPDIR=/tmp/mojo

MORE

You can continue with Mojolicious::Guides now or take a look at the Mojolicious wiki http://github.com/kraih/mojo/wiki, which contains a lot more documentation and examples by many different authors.