Security Advisories (10)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

https://github.com/mojolicious/mojo/pull/1601

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojolicious::Commands - Command line interface

SYNOPSIS

Usage: APPLICATION COMMAND [OPTIONS]

Tip: CGI and PSGI environments can be automatically detected very often and
     work without commands.

Options (for all commands):
  -h, --help          Get more information on a specific command.
      --home <path>   Path to your applications home directory, defaults to
                      the value of MOJO_HOME or auto detection.
  -m, --mode <name>   Operating mode for your application, defaults to the
                      value of MOJO_MODE/PLACK_ENV or "development".

DESCRIPTION

Mojolicious::Commands is the interactive command line interface for the Mojolicious framework. It will automatically detect available commands in the Mojolicious::Command namespace.

COMMANDS

These commands are available by default.

cgi

$ ./myapp.pl cgi

Use Mojolicious::Command::cgi to start application with CGI backend, usually auto detected.

cpanify

$ mojo cpanify -u sri -p secr3t Mojolicious-Plugin-Fun-0.1.tar.gz

Use Mojolicious::Command::cpanify for uploading files to CPAN.

daemon

$ ./myapp.pl daemon

Use Mojolicious::Command::daemon to start application with standalone HTTP and WebSocket server.

eval

$ ./myapp.pl eval 'say app->home'

Use Mojolicious::Command::eval to run code against application.

generate

$ mojo generate
$ mojo generate help
$ ./myapp.pl generate help

List available generator commands with short descriptions.

$ mojo generate help <generator>
$ ./myapp.pl generate help <generator>

List available options for generator command with short descriptions.

generate app

$ mojo generate app <AppName>

Use Mojolicious::Command::generate::app to generate application directory structure for a fully functional Mojolicious application.

generate lite_app

$ mojo generate lite_app

Use Mojolicious::Command::generate::lite_app to generate a fully functional Mojolicious::Lite application.

generate makefile

$ mojo generate makefile
$ ./myapp.pl generate makefile

Use Mojolicious::Command::generate::makefile to generate Makefile.PL file for application.

generate plugin

$ mojo generate plugin <PluginName>

Use Mojolicious::Command::generate::plugin to generate directory structure for a fully functional Mojolicious plugin.

get

$ mojo get http://mojolicio.us
$ ./myapp.pl get /foo

Use Mojolicious::Command::get to perform requests to remote host or local application.

help

$ mojo
$ mojo help
$ ./myapp.pl help

List available commands with short descriptions.

$ mojo help <command>
$ ./myapp.pl help <command>

List available options for the command with short descriptions.

inflate

$ ./myapp.pl inflate

Use Mojolicious::Command::inflate to turn templates and static files embedded in the DATA sections of your application into real files.

prefork

$ ./myapp.pl prefork

Use Mojolicious::Command::prefork to start application with standalone preforking HTTP and WebSocket server.

psgi

$ ./myapp.pl psgi

Use Mojolicious::Command::psgi to start application with PSGI backend, usually auto detected.

routes

$ ./myapp.pl routes

Use Mojolicious::Command::routes to list application routes.

test

$ ./myapp.pl test
$ ./myapp.pl test t/fun.t

Use Mojolicious::Command::test to run application tests from the t directory.

version

$ mojo version
$ ./myapp.pl version

Use Mojolicious::Command::version to show version information for installed core and optional modules, very useful for debugging.

ATTRIBUTES

Mojolicious::Commands inherits all attributes from Mojolicious::Command and implements the following new ones.

hint

my $hint  = $commands->hint;
$commands = $commands->hint('Foo!');

Short hint shown after listing available commands.

message

my $msg   = $commands->message;
$commands = $commands->message('Hello World!');

Short usage message shown before listing available commands.

namespaces

my $namespaces = $commands->namespaces;
$commands      = $commands->namespaces(['MyApp::Command']);

Namespaces to load commands from, defaults to Mojolicious::Command.

# Add another namespace to load commands from
push @{$commands->namespaces}, 'MyApp::Command';

METHODS

Mojolicious::Commands inherits all methods from Mojolicious::Command and implements the following new ones.

detect

my $env = $commands->detect;
my $env = $commands->detect($guess);

Try to detect environment.

run

$commands->run;
$commands->run(@ARGV);

Load and run commands. Automatic deployment environment detection can be disabled with the MOJO_NO_DETECT environment variable.

start_app

Mojolicious::Commands->start_app('MyApp');
Mojolicious::Commands->start_app(MyApp => @ARGV);

Load application and start the command line interface for it.

# Always start daemon for application and ignore @ARGV
Mojolicious::Commands->start_app('MyApp', 'daemon', '-l', 'http://*:8080');

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)