Security Advisories (10)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

https://github.com/mojolicious/mojo/pull/1601

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojo::Headers - Headers

SYNOPSIS

use Mojo::Headers;

# Parse
my $headers = Mojo::Headers->new;
$headers->parse("Content-Length: 42\x0d\x0a");
$headers->parse("Content-Type: text/html\x0d\x0a\x0d\x0a");
say $headers->content_length;
say $headers->content_type;

# Build
my $headers = Mojo::Headers->new;
$headers->content_length(42);
$headers->content_type('text/plain');
say $headers->to_string;

DESCRIPTION

Mojo::Headers is a container for HTTP headers based on RFC 7230 and RFC 7231.

ATTRIBUTES

Mojo::Headers implements the following attributes.

max_line_size

my $size = $headers->max_line_size;
$headers = $headers->max_line_size(1024);

Maximum header line size in bytes, defaults to the value of the MOJO_MAX_LINE_SIZE environment variable or 10240 (10KB).

METHODS

Mojo::Headers inherits all methods from Mojo::Base and implements the following new ones.

accept

my $accept = $headers->accept;
$headers   = $headers->accept('application/json');

Shortcut for the Accept header.

accept_charset

my $charset = $headers->accept_charset;
$headers    = $headers->accept_charset('UTF-8');

Shortcut for the Accept-Charset header.

accept_encoding

my $encoding = $headers->accept_encoding;
$headers     = $headers->accept_encoding('gzip');

Shortcut for the Accept-Encoding header.

accept_language

my $language = $headers->accept_language;
$headers     = $headers->accept_language('de, en');

Shortcut for the Accept-Language header.

accept_ranges

my $ranges = $headers->accept_ranges;
$headers   = $headers->accept_ranges('bytes');

Shortcut for the Accept-Ranges header.

add

$headers = $headers->add(Foo => 'one value');
$headers = $headers->add(Foo => 'first value', 'second value');

Add one or more header values with one or more lines.

# "Vary: Accept"
# "Vary: Accept-Encoding"
$headers->vary('Accept')->add(Vary => 'Accept-Encoding')->to_string;

allow

my $allow = $headers->allow;
$headers  = $headers->allow('GET, POST');

Shortcut for the Allow header.

append

$headers = $headers->append(Vary => 'Accept-Encoding');

Append value to header and flatten it if necessary.

# "Vary: Accept"
$headers->append(Vary => 'Accept')->to_string;

# "Vary: Accept, Accept-Encoding"
$headers->vary('Accept')->append(Vary => 'Accept-Encoding')->to_string;

authorization

my $authorization = $headers->authorization;
$headers          = $headers->authorization('Basic Zm9vOmJhcg==');

Shortcut for the Authorization header.

cache_control

my $cache_control = $headers->cache_control;
$headers          = $headers->cache_control('max-age=1, no-cache');

Shortcut for the Cache-Control header.

clone

my $clone = $headers->clone;

Clone headers.

connection

my $connection = $headers->connection;
$headers       = $headers->connection('close');

Shortcut for the Connection header.

content_disposition

my $disposition = $headers->content_disposition;
$headers        = $headers->content_disposition('foo');

Shortcut for the Content-Disposition header.

content_encoding

my $encoding = $headers->content_encoding;
$headers     = $headers->content_encoding('gzip');

Shortcut for the Content-Encoding header.

content_length

my $len  = $headers->content_length;
$headers = $headers->content_length(4000);

Shortcut for the Content-Length header.

content_range

my $range = $headers->content_range;
$headers  = $headers->content_range('bytes 2-8/100');

Shortcut for the Content-Range header.

content_type

my $type = $headers->content_type;
$headers = $headers->content_type('text/plain');

Shortcut for the Content-Type header.

my $cookie = $headers->cookie;
$headers   = $headers->cookie('f=b');

Shortcut for the Cookie header from RFC 6265.

date

my $date = $headers->date;
$headers = $headers->date('Sun, 17 Aug 2008 16:27:35 GMT');

Shortcut for the Date header.

dnt

my $dnt  = $headers->dnt;
$headers = $headers->dnt(1);

Shortcut for the DNT (Do Not Track) header, which has no specification yet, but is very commonly used.

etag

my $etag = $headers->etag;
$headers = $headers->etag('abc321');

Shortcut for the ETag header.

expect

my $expect = $headers->expect;
$headers   = $headers->expect('100-continue');

Shortcut for the Expect header.

expires

my $expires = $headers->expires;
$headers    = $headers->expires('Thu, 01 Dec 1994 16:00:00 GMT');

Shortcut for the Expires header.

from_hash

$headers = $headers->from_hash({'Cookie' => 'a=b'});
$headers = $headers->from_hash({'Cookie' => ['a=b', 'c=d']});
$headers = $headers->from_hash({});

Parse headers from a hash reference, an empty hash removes all headers.

my $value = $headers->header('Foo');
$headers  = $headers->header(Foo => 'one value');
$headers  = $headers->header(Foo => 'first value', 'second value');

Get or replace the current header values.

host

my $host = $headers->host;
$headers = $headers->host('127.0.0.1');

Shortcut for the Host header.

if_modified_since

my $date = $headers->if_modified_since;
$headers = $headers->if_modified_since('Sun, 17 Aug 2008 16:27:35 GMT');

Shortcut for the If-Modified-Since header.

is_finished

my $bool = $headers->is_finished;

Check if header parser is finished.

is_limit_exceeded

my $bool = $headers->is_limit_exceeded;

Check if a header has exceeded max_line_size.

last_modified

my $date = $headers->last_modified;
$headers = $headers->last_modified('Sun, 17 Aug 2008 16:27:35 GMT');

Shortcut for the Last-Modified header.

leftovers

my $bytes = $headers->leftovers;

Get leftover data from header parser.

link

my $link = $headers->link;
$headers = $headers->link('<http://127.0.0.1/foo/3>; rel="next"');

Shortcut for the Link header from RFC 5988.

location

my $location = $headers->location;
$headers     = $headers->location('http://127.0.0.1/foo');

Shortcut for the Location header.

names

my $names = $headers->names;

Return a list of all currently defined headers.

# Names of all headers
say for @{$headers->names};

origin

my $origin = $headers->origin;
$headers   = $headers->origin('http://example.com');

Shortcut for the Origin header from RFC 6454.

parse

$headers = $headers->parse("Content-Type: text/plain\x0d\x0a\x0d\x0a");

Parse formatted headers.

proxy_authenticate

my $authenticate = $headers->proxy_authenticate;
$headers         = $headers->proxy_authenticate('Basic "realm"');

Shortcut for the Proxy-Authenticate header.

proxy_authorization

my $authorization = $headers->proxy_authorization;
$headers          = $headers->proxy_authorization('Basic Zm9vOmJhcg==');

Shortcut for the Proxy-Authorization header.

range

my $range = $headers->range;
$headers  = $headers->range('bytes=2-8');

Shortcut for the Range header.

referrer

my $referrer = $headers->referrer;
$headers     = $headers->referrer('http://example.com');

Shortcut for the Referer header, there was a typo in RFC 2068 which resulted in Referer becoming an official header.

remove

$headers = $headers->remove('Foo');

Remove a header.

sec_websocket_accept

my $accept = $headers->sec_websocket_accept;
$headers   = $headers->sec_websocket_accept('s3pPLMBiTxaQ9kYGzzhZRbK+xOo=');

Shortcut for the Sec-WebSocket-Accept header from RFC 6455.

sec_websocket_extensions

my $extensions = $headers->sec_websocket_extensions;
$headers       = $headers->sec_websocket_extensions('foo');

Shortcut for the Sec-WebSocket-Extensions header from RFC 6455.

sec_websocket_key

my $key  = $headers->sec_websocket_key;
$headers = $headers->sec_websocket_key('dGhlIHNhbXBsZSBub25jZQ==');

Shortcut for the Sec-WebSocket-Key header from RFC 6455.

sec_websocket_protocol

my $proto = $headers->sec_websocket_protocol;
$headers  = $headers->sec_websocket_protocol('sample');

Shortcut for the Sec-WebSocket-Protocol header from RFC 6455.

sec_websocket_version

my $version = $headers->sec_websocket_version;
$headers    = $headers->sec_websocket_version(13);

Shortcut for the Sec-WebSocket-Version header from RFC 6455.

server

my $server = $headers->server;
$headers   = $headers->server('Mojo');

Shortcut for the Server header.

set_cookie

my $cookie = $headers->set_cookie;
$headers   = $headers->set_cookie('f=b; path=/');

Shortcut for the Set-Cookie header from RFC 6265.

status

my $status = $headers->status;
$headers   = $headers->status('200 OK');

Shortcut for the Status header from RFC 3875.

te

my $te   = $headers->te;
$headers = $headers->te('chunked');

Shortcut for the TE header.

to_hash

my $single = $headers->to_hash;
my $multi  = $headers->to_hash(1);

Turn headers into hash reference, array references to represent multiple headers with the same name are disabled by default.

say $headers->to_hash->{DNT};

to_string

my $str = $headers->to_string;

Turn headers into a string, suitable for HTTP messages.

trailer

my $trailer = $headers->trailer;
$headers    = $headers->trailer('X-Foo');

Shortcut for the Trailer header.

transfer_encoding

my $encoding = $headers->transfer_encoding;
$headers     = $headers->transfer_encoding('chunked');

Shortcut for the Transfer-Encoding header.

upgrade

my $upgrade = $headers->upgrade;
$headers    = $headers->upgrade('websocket');

Shortcut for the Upgrade header.

user_agent

my $agent = $headers->user_agent;
$headers  = $headers->user_agent('Mojo/1.0');

Shortcut for the User-Agent header.

vary

my $vary = $headers->vary;
$headers = $headers->vary('*');

Shortcut for the Vary header.

www_authenticate

my $authenticate = $headers->www_authenticate;
$headers         = $headers->www_authenticate('Basic realm="realm"');

Shortcut for the WWW-Authenticate header.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)