/ 
Mojolicious-6.21
⭐ Starred 2674
/ Mojo::Transaction
Security Advisories (8)
CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojo::Transaction - Transaction base class

SYNOPSIS

package Mojo::Transaction::MyTransaction;
use Mojo::Base 'Mojo::Transaction';

sub client_read  {...}
sub client_write {...}
sub server_read  {...}
sub server_write {...}

DESCRIPTION

Mojo::Transaction is an abstract base class for transactions, like Mojo::Transaction::HTTP and Mojo::Transaction::WebSocket.

EVENTS

Mojo::Transaction inherits all events from Mojo::EventEmitter and can emit the following new ones.

connection

$tx->on(connection => sub {
  my ($tx, $connection) = @_;
  ...
});

Emitted when a connection has been assigned to transaction.

finish

$tx->on(finish => sub {
  my $tx = shift;
  ...
});

Emitted when transaction is finished.

resume

$tx->on(resume => sub {
  my $tx = shift;
  ...
});

Emitted when transaction is resumed.

ATTRIBUTES

Mojo::Transaction implements the following attributes.

kept_alive

my $kept_alive = $tx->kept_alive;
$tx            = $tx->kept_alive(1);

Connection has been kept alive.

local_address

my $address = $tx->local_address;
$tx         = $tx->local_address('127.0.0.1');

Local interface address.

local_port

my $port = $tx->local_port;
$tx      = $tx->local_port(8080);

Local interface port.

original_remote_address

my $address = $tx->original_remote_address;
$tx         = $tx->original_remote_address('127.0.0.1');

Remote interface address.

remote_port

my $port = $tx->remote_port;
$tx      = $tx->remote_port(8081);

Remote interface port.

req

my $req = $tx->req;
$tx     = $tx->req(Mojo::Message::Request->new);

HTTP request, defaults to a Mojo::Message::Request object.

res

my $res = $tx->res;
$tx     = $tx->res(Mojo::Message::Response->new);

HTTP response, defaults to a Mojo::Message::Response object.

METHODS

Mojo::Transaction inherits all methods from Mojo::EventEmitter and implements the following new ones.

client_close

$tx->client_close;
$tx->client_close(1);

Transaction closed client-side, no actual connection close is assumed by default, used to implement user agents.

client_read

$tx->client_read($bytes);

Read data client-side, used to implement user agents. Meant to be overloaded in a subclass.

client_write

my $bytes = $tx->client_write;

Write data client-side, used to implement user agents. Meant to be overloaded in a subclass.

connection

my $id = $tx->connection;
$tx    = $tx->connection($id);

Connection identifier.

error

my $err = $tx->error;

Get request or response error and return undef if there is no error, commonly used together with "success".

# Longer version
my $err = $tx->req->error || $tx->res->error;

# Check for different kinds of errors
if (my $err = $tx->error) {
  die "$err->{code} response: $err->{message}" if $err->{code};
  die "Connection error: $err->{message}";
}

is_finished

my $bool = $tx->is_finished;

Check if transaction is finished.

is_websocket

my $bool = $tx->is_websocket;

False, this is not a Mojo::Transaction::WebSocket object.

is_writing

my $bool = $tx->is_writing;

Check if transaction is writing.

resume

$tx = $tx->resume;

Resume transaction.

remote_address

my $address = $tx->remote_address;
$tx         = $tx->remote_address('127.0.0.1');

Same as "original_remote_address" or the last value of the X-Forwarded-For header if "req" has been performed through a reverse proxy.

server_close

$tx->server_close;

Transaction closed server-side, used to implement web servers.

server_read

$tx->server_read($bytes);

Read data server-side, used to implement web servers. Meant to be overloaded in a subclass.

server_write

my $bytes = $tx->server_write;

Write data server-side, used to implement web servers. Meant to be overloaded in a subclass.

success

my $res = $tx->success;

Returns the Mojo::Message::Response object from "res" if transaction was successful or undef otherwise. Connection and parser errors have only a message in "error", 400 and 500 responses also a code.

# Sensible exception handling
if (my $res = $tx->success) { say $res->body }
else {
  my $err = $tx->error;
  die "$err->{code} response: $err->{message}" if $err->{code};
  die "Connection error: $err->{message}";
}

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicio.us.