/ 
Mojolicious-7.21
River stage four • 1090 direct dependents • 1236 total dependents
⭐ Starred 2674 GitHub stars
/ Mojo::WebSocket
Security Advisories (8)
CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojo::WebSocket - The WebSocket protocol

SYNOPSIS

use Mojo::WebSocket qw(WS_TEXT build_frame parse_frame);

my $bytes = build_frame 0, 1, 0, 0, 0, WS_TEXT, 'Hello World!';
my $frame = parse_frame \$bytes, 262144;

DESCRIPTION

Mojo::WebSocket implements the WebSocket protocol as described in RFC 6455. Note that 64-bit frames require a Perl with support for quads or they are limited to 32-bit.

FUNCTIONS

Mojo::WebSocket implements the following functions, which can be imported individually.

build_frame

my $bytes = build_frame $masked, $fin, $rsv1, $rsv2, $rsv3, $op, $payload;

Build WebSocket frame.

# Masked binary frame with FIN bit and payload
say build_frame 1, 1, 0, 0, 0, WS_BINARY, 'Hello World!';

# Text frame with payload but without FIN bit
say build_frame 0, 0, 0, 0, 0, WS_TEXT, 'Hello ';

# Continuation frame with FIN bit and payload
say build_frame 0, 1, 0, 0, 0, WS_CONTINUATION, 'World!';

# Close frame with FIN bit and without payload
say build_frame 0, 1, 0, 0, 0, WS_CLOSE, '';

# Ping frame with FIN bit and payload
say build_frame 0, 1, 0, 0, 0, WS_PING, 'Test 123';

# Pong frame with FIN bit and payload
say build_frame 0, 1, 0, 0, 0, WS_PONG, 'Test 123';

challenge

my $bool = challenge Mojo::Transaction::WebSocket->new;

Check WebSocket handshake challenge.

client_handshake

my $tx = client_handshake Mojo::Transaction::HTTP->new;

Perform WebSocket handshake client-side.

parse_frame

my $frame = parse_frame \$bytes, $limit;

Parse WebSocket frame.

# Parse single frame and remove it from buffer
my $frame = parse_frame \$buffer, 262144;
say "FIN: $frame->[0]";
say "RSV1: $frame->[1]";
say "RSV2: $frame->[2]";
say "RSV3: $frame->[3]";
say "Opcode: $frame->[4]";
say "Payload: $frame->[5]";

server_handshake

my $tx = server_handshake Mojo::Transaction::HTTP->new;

Perform WebSocket handshake server-side.

CONSTANTS

Mojo::WebSocket implements the following constants, which can be imported individually.

WS_BINARY

Opcode for Binary frames.

WS_CLOSE

Opcode for Close frames.

WS_CONTINUATION

Opcode for Continuation frames.

WS_PING

Opcode for Ping frames.

WS_PONG

Opcode for Pong frames.

WS_TEXT

Opcode for Text frames.

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicious.org.