Security Advisories (10)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

https://github.com/mojolicious/mojo/pull/1601

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojolicious::Guides::CodingGuidelines - Coding guidelines

OVERVIEW

This document describes the coding guidelines that are the foundations of Mojo and Mojolicious development.

Please only send patches if you agree with them.

MISSION STATEMENT

Mojo is a runtime environment for Perl real-time web frameworks. It provides all the basic tools and helpers needed to write simple web applications and higher level web frameworks, such as Mojolicious.

All components should be reusable in other projects, and in a UNIXish way only loosely coupled.

Especially for people new to Perl it should be as easy as possible to install Mojolicious and get started. Writing web applications can be one of the most fun ways to learn a language!

For developers of other web frameworks, it should be possible to reuse all the infrastructure and just consider the higher levels of the Mojolicious distribution an example application.

RULES

Web development should be easy and fun, this is what we optimize for.

The web is a moving target, to stay relevant we have to stay in motion too.

Keep it simple, no magic unless absolutely necessary.

The installation process should be as fast and painless as possible. (Less than a minute on most common hardware is a good rule of thumb)

The addition and modification of features is decided by majority vote or the pumpking.

Any core developer may nominate a new one, who must then be accepted by a 2/3 majority vote.

The pumpking has veto rights and may select his successor.

It's not a feature without a test and documentation.

A feature is only needed when the majority of the userbase benefits from it.

Features may only be changed in a major release or after being deprecated for at least 3 months.

Refactoring and deprecations should be avoided if no important feature depends on it.

New features can be marked as experimental to be excluded from deprecation policies.

A major release is signaled by a new major version number and a unique code name based on a Unicode character.

Only add dependencies if absolutely necessary and make them optional if possible.

Domain specific languages should be avoided in favor of Perl-ish solutions.

No inline POD.

Documentation belongs to the guides, module POD is just an API reference.

The main focus of the included documentation should be on examples, no walls of text. (An example for every one or two sentences is a good rule of thumb)

Everything should be ordered alphabetically if possible.

The master source code repository should always be kept in a stable state, use feature branches for actual development.

Code has to be run through Perl::Tidy with the included .perltidyrc, and everything should look like it was written by a single person.

Code should be organized in blocks and those blocks should be commented.

No spaghetti code.

Comments should be correctly capitalized, and funny if possible, punctuation is optional if it doesn't increase readability.

Every file should contain at least one quote from The Simpsons or Futurama.

No names outside of Mojolicious.pm.

No Elitism.

Peace!

You can continue with Mojolicious::Guides now or take a look at the Mojolicious wiki http://github.com/kraih/mojo/wiki, which contains a lot more documentation and examples by many different authors.

To install Mojolicious, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Mojolicious

CPAN shell

perl -MCPAN -e shell
install Mojolicious

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

OVERVIEW

MISSION STATEMENT

RULES

MORE

Module Install Instructions

Keyboard Shortcuts