Security Advisories (10)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

https://github.com/mojolicious/mojo/pull/1601

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojolicious::Guides::FAQ - Frequently Asked Questions

OVERVIEW

This document contains the most frequently asked questions about Mojolicious together with the right answers.

QUESTIONS

How does Mojolicious compare to other Perl web frameworks?

The short answer is "it doesn't", because we interpret the words "web framework" much more literally than others. With the emergence of the real-time web and new technologies such as WebSockets, we are facing new challenges that go way beyond what commonly used modules like LWP were designed for. Because of this, Mojolicious contains a whole new HTTP client/server stack called Mojo, which was heavily inspired by the original LWPng effort and carefully designed with these new requirements in mind. So while some of the higher abstraction layers might look similar to other web frameworks, it actually defines a whole new category and could even be the foundation for more advanced ones in the future.

Why doesn't Mojolicious have any dependencies?

We are optimizing Mojolicious for user-friendliness and development speed, without compromises. While there are no rules in Mojolicious::Guides::CodingGuidelines that forbid dependencies, we do currently discourage adding non-optional ones in favor of a faster and more painless installation process. And we do in fact already use several optional CPAN modules such as EV, IO::Socket::IP, IO::Socket::SSL and Plack to provide advanced functionality if they are installed.

Why reinvent wheels?

Because we can make them rounder. Components specifically designed for user-friendliness and development speed are not easy to come by. We are strong believers of the Perl mantra "There is more than one way to do it", and our quest is to develop the best possible solutions for these two criteria.

What about backwards compatibility?

In conformance with Mojolicious::Guides::CodingGuidelines, we will always deprecate a feature before removing or changing it in incompatible ways between major releases. New features can however be marked as experimental to explicitly exclude them from these rules. This gives us the necessary freedom to ensure a healthy future for Mojolicious. So, as long as you are not using anything marked experimental, untested or undocumented, you can always count on backwards compatibility, everything else would be considered a bug.

Why not split up Mojolicious into many smaller distributions?

Because there are no advantages, it drastically increases maintenance costs and installation times without giving us anything in return. It would only make sense if we wanted to pass ownership of a module to a new maintainer, which we already have done in the past.

Can you add feature XY to the core distribution?

Probably not. While the Mojolicious distribution covers a wide range of features, we are rather conservative when it comes to adding new ones. The most important criteria are outlined in Mojolicious::Guides::CodingGuidelines. But don't let this discourage you, it doesn't hurt to open a GitHub issue and ask, just be prepared that it might not pass the vote. To increase the chances you can also discuss and refine ideas on the mailing-list.

What does the error "Maximum message size exceeded" mean?

To protect your applications from excessively large requests and responses, our HTTP parser has a cap after which it will automatically stop accepting new data, and in most cases force the connection to be closed. This limit is around 5MB by default, you can use the MOJO_MAX_MESSAGE_SIZE environment variable to change this value.

What does the error "Maximum line size exceeded" mean?

This is a very similar protection mechanism to the one described in the previous answer, but a little more specific. It limits the maximum length of any \r\n terminated part of a HTTP message, such as request line, status line and headers. This limit is around 10KB by default, you can use the MOJO_MAX_LINE_SIZE environment variable to change this value.

What does "Your secret passphrase needs to be changed" mean?

Mojolicious uses a secret passphrase for security features such as signed cookies. It defaults to the name of your application, which is not very secure, so we added this log message as a reminder. You can change the passphrase with the attribute "secret" in Mojolicious.

app->secret('My very secret passphrase.');

What does "Inactivity timeout" mean.

To protect your applications from denial-of-service attacks, all connections have an inactivity timeout which limits how long a connection may be inactive before being closed automatically. It defaults to 20 seconds for the user agent and 15 seconds for all built-in web servers, and is commonly referred to as inactivity_timeout. This timeout always applies, so you might have to tweak it for applications that take a long time to process a request.

What does "Premature connection close" mean?

This error message is often related to the one above, and means that the web server closed the connection before the user agent could receive the whole response.

What does "Worker 31842 has no heartbeat, restarting" mean?

As long as they are accepting new connections, Hypnotoad worker processes send heartbeat messages to the manager process in regular intervals, to signal that they are still responsive. A blocking operation such as an infinite loop in your application (or active connections after a worker has stopped accepting new connections) can prevent this, and will force the affected worker to be restarted after a timeout. This heartbeat_timeout defaults to 20 seconds and can be extended if your application requires it.

I think i have found a bug, what should i do now?

First make sure you are using the latest version of Mojolicious, it is quite likely that the bug has already been fixed. If that doesn't help, prepare a test case demonstrating the bug, you are not expected to fix it yourself, but you'll have to make sure the developers can replicate your problem. Sending in your whole application generally does more harm than good, the t directory of this distribution has many good examples for how to do it right. Writing a test is usually the hardest part of fixing a bug, so the better your test case the faster it can be fixed. ;)

Once that's done you can contact the developers via GitHub issue.

If you decide to fix the bug yourself, make sure to also take a look at Mojolicious::Guides::CodingGuidelines.

You can continue with Mojolicious::Guides now or take a look at the Mojolicious wiki http://github.com/kraih/mojo/wiki, which contains a lot more documentation and examples by many different authors.

To install Mojolicious, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Mojolicious

CPAN shell

perl -MCPAN -e shell
install Mojolicious

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)