Security Advisories (10)

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

https://github.com/mojolicious/mojo/pull/1601

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

NAME

Mojolicious::Routes::Route - Route

SYNOPSIS

use Mojolicious::Routes::Route;

my $r = Mojolicious::Routes::Route->new;

DESCRIPTION

Mojolicious::Routes::Route is the route container used by Mojolicious::Routes.

ATTRIBUTES

Mojolicious::Routes::Route implements the following attributes.

children

my $children = $r->children;
$r           = $r->children([Mojolicious::Routes::Route->new]);

The children of this route, used for nesting routes.

inline

my $bool = $r->inline;
$r       = $r->inline($bool);

Allow "bridge" semantics for this route.

parent

my $parent = $r->parent;
$r         = $r->parent(Mojolicious::Routes::Route->new);

The parent of this route, usually a Mojolicious::Routes::Route object.

partial

my $bool = $r->partial;
$r       = $r->partial($bool);

Route has no specific end, remaining characters will be captured in path.

pattern

my $pattern = $r->pattern;
$r          = $r->pattern(Mojolicious::Routes::Pattern->new);

Pattern for this route, defaults to a Mojolicious::Routes::Pattern object.

METHODS

Mojolicious::Routes::Route inherits all methods from Mojo::Base and implements the following new ones.

add_child

$r = $r->add_child(Mojolicious::Routes::Route->new);

Add a new child to this route, it will be automatically removed from its current parent if necessary.

# Reattach route
$r->add_child($r->find('foo'));

any

my $route = $r->any('/:foo');
my $route = $r->any('/:foo' => sub {...});
my $route = $r->any('/:foo' => {foo => 'bar'} => sub {...});
my $route = $r->any('/:foo' => [foo => qr/\w+/] => sub {...});
my $route = $r->any([qw(GET POST)] => '/:foo' => sub {...});

Generate Mojolicious::Routes::Route object matching any of the listed HTTP request methods or all. See also the Mojolicious::Lite tutorial for many more argument variations.

$r->any('/user')->to('user#whatever');

bridge

my $bridge = $r->bridge;
my $bridge = $r->bridge('/:action');
my $bridge = $r->bridge('/:action', action => qr/\w+/);
my $bridge = $r->bridge(format => 0);

Low-level generator for bridge routes, returns a Mojolicious::Routes::Route object.

my $auth = $r->bridge('/user')->to('user#auth');
$auth->get('/show')->to('#show');
$auth->post('/create')->to('#create');

delete

my $route = $r->delete('/:foo');
my $route = $r->delete('/:foo' => sub {...});
my $route = $r->delete('/:foo' => {foo => 'bar'} => sub {...});
my $route = $r->delete('/:foo' => [foo => qr/\w+/] => sub {...});

Generate Mojolicious::Routes::Route object matching only DELETE requests. See also the Mojolicious::Lite tutorial for many more argument variations.

$r->delete('/user')->to('user#remove');

detour

$r = $r->detour(action => 'foo');
$r = $r->detour('controller#action');
$r = $r->detour(Mojolicious->new, foo => 'bar');
$r = $r->detour('MyApp', {foo => 'bar'});

Set default parameters for this route and allow partial matching to simplify application embedding, takes the same arguments as "to".

find

my $route = $r->find('foo');

Find child route by name, custom names have precedence over automatically generated ones.

$r->find('show_user')->to(foo => 'bar');

get

my $route = $r->get('/:foo');
my $route = $r->get('/:foo' => sub {...});
my $route = $r->get('/:foo' => {foo => 'bar'} => sub {...});
my $route = $r->get('/:foo' => [foo => qr/\w+/] => sub {...});

Generate Mojolicious::Routes::Route object matching only GET requests. See also the Mojolicious::Lite tutorial for many more argument variations.

$r->get('/user')->to('user#show');

has_conditions

my $bool = $r->has_conditions;

Check if this route has active conditions.

has_custom_name

my $bool = $r->has_custom_name;

Check if this route has a custom name.

has_websocket

my $bool = $r->has_websocket;

Check if this route has a WebSocket ancestor.

is_endpoint

my $bool = $r->is_endpoint;

Check if this route qualifies as an endpoint.

is_websocket

my $bool = $r->is_websocket;

Check if this route is a WebSocket.

name

my $name = $r->name;
$r       = $r->name('foo');

The name of this route, defaults to an automatically generated name based on the route pattern. Note that the name current is reserved for referring to the current route.

$r->get('/user')->to('user#show')->name('show_user');

new

my $r = Mojolicious::Routes::Route->new;
my $r = Mojolicious::Routes::Route->new('/:controller/:action');

Construct a new Mojolicious::Routes::Route object and "parse" pattern if necessary.

options

my $route = $r->options('/:foo');
my $route = $r->options('/:foo' => sub {...});
my $route = $r->options('/:foo' => {foo => 'bar'} => sub {...});
my $route = $r->options('/:foo' => [foo => qr/\w+/] => sub {...});

Generate Mojolicious::Routes::Route object matching only OPTIONS requests. See also the Mojolicious::Lite tutorial for many more argument variations.

$r->options('/user')->to('user#overview');

over

my $over = $r->over;
$r       = $r->over(foo => 1);
$r       = $r->over(foo => 1, bar => {baz => 'yada'});
$r       = $r->over([foo => 1, bar => {baz => 'yada'}]);

Activate conditions for this route. Note that this automatically disables the routing cache, since conditions are too complex for caching.

$r->get('/foo')->over(host => qr/mojolicio\.us/)->to('foo#bar');

parse

$r = $r->parse('/:action');
$r = $r->parse('/:action', action => qr/\w+/);
$r = $r->parse(format => 0);

Parse pattern.

patch

my $route = $r->patch('/:foo');
my $route = $r->patch('/:foo' => sub {...});
my $route = $r->patch('/:foo' => {foo => 'bar'} => sub {...});
my $route = $r->patch('/:foo' => [foo => qr/\w+/] => sub {...});

Generate Mojolicious::Routes::Route object matching only PATCH requests. See also the Mojolicious::Lite tutorial for many more argument variations.

$r->patch('/user')->to('user#update');

post

my $route = $r->post('/:foo');
my $route = $r->post('/:foo' => sub {...});
my $route = $r->post('/:foo' => {foo => 'bar'} => sub {...});
my $route = $r->post('/:foo' => [foo => qr/\w+/] => sub {...});

Generate Mojolicious::Routes::Route object matching only POST requests. See also the Mojolicious::Lite tutorial for many more argument variations.

$r->post('/user')->to('user#create');

put

my $route = $r->put('/:foo');
my $route = $r->put('/:foo' => sub {...});
my $route = $r->put('/:foo' => {foo => 'bar'} => sub {...});
my $route = $r->put('/:foo' => [foo => qr/\w+/] => sub {...});

Generate Mojolicious::Routes::Route object matching only PUT requests. See also the Mojolicious::Lite tutorial for many more argument variations.

$r->put('/user')->to('user#replace');

remove

$r = $r->remove;

Remove route from parent.

# Remove route completely
$r->find('foo')->remove;

# Reattach route to new parent
$r->route('/foo')->add_child($r->find('bar')->remove);

render

my $path = $r->render($suffix);
my $path = $r->render($suffix, {foo => 'bar'});

Render route with parameters into a path.

root

my $root = $r->root;

The Mojolicious::Routes object this route is an descendent of.

$r->root->cache(0);

route

my $route = $r->route;
my $route = $r->route('/:action');
my $route = $r->route('/:action', action => qr/\w+/);
my $route = $r->route(format => 0);

Low-level generator for routes matching all HTTP request methods, returns a Mojolicious::Routes::Route object.

to

my $defaults = $r->to;
$r           = $r->to(action => 'foo');
$r           = $r->to({action => 'foo'});
$r           = $r->to('controller#action');
$r           = $r->to('controller#action', foo => 'bar');
$r           = $r->to('controller#action', {foo => 'bar'});
$r           = $r->to(Mojolicious->new);
$r           = $r->to(Mojolicious->new, foo => 'bar');
$r           = $r->to(Mojolicious->new, {foo => 'bar'});
$r           = $r->to('MyApp');
$r           = $r->to('MyApp', foo => 'bar');
$r           = $r->to('MyApp', {foo => 'bar'});

Set default parameters for this route.

to_string

my $str = $r->to_string;

Stringify the whole route.

under

my $bridge = $r->under(sub {...});
my $bridge = $r->under('/:foo' => sub {...});
my $bridge = $r->under('/:foo' => [foo => qr/\w+/]);
my $bridge = $r->under({format => 0});

Generate Mojolicious::Routes::Route object for bridge route. See also the Mojolicious::Lite tutorial for many more argument variations.

my $auth = $r->under('/user')->to('user#auth');
$auth->get('/show')->to('#show');
$auth->post('/create')->to('#create');

via

my $methods = $r->via;
$r          = $r->via('GET');
$r          = $r->via(qw(GET POST));
$r          = $r->via([qw(GET POST)]);

Restrict HTTP methods this route is allowed to handle, defaults to no restrictions.

$r->route('/foo')->via(qw(GET POST))->to('foo#bar');

websocket

my $route = $r->websocket('/:foo');
my $route = $r->websocket('/:foo' => sub {...});
my $route = $r->websocket('/:foo' => {foo => 'bar'} => sub {...});
my $route = $r->websocket('/:foo' => [foo => qr/\w+/] => sub {...});

Generate Mojolicious::Routes::Route object matching only WebSocket handshakes. See also the Mojolicious::Lite tutorial for many more argument variations.

$r->websocket('/echo')->to('example#echo');

AUTOLOAD

In addition to the "ATTRIBUTES" and "METHODS" above you can also call shortcuts provided by "root" on Mojolicious::Routes::Route objects.

$r->root->add_shortcut(firefox => sub {
  my ($r, $path) = @_;
  $r->get($path, agent => qr/Firefox/);
});

$r->firefox('/welcome')->to('firefox#welcome');
$r->firefox('/bye')->to('firefox#bye');

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)