Security Advisories (8)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

https://github.com/mojolicious/mojo/pull/1601

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

CVE-2024-58135 (2025-05-03)

Mojolicious versions from 7.28 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

NAME

Mojo::Promise - Promises/A+

SYNOPSIS

use Mojo::Promise;
use Mojo::UserAgent;

# Wrap continuation-passing style APIs with promises
my $ua = Mojo::UserAgent->new;
sub get {
  my $promise = Mojo::Promise->new;
  $ua->get(@_ => sub {
    my ($ua, $tx) = @_;
    my $err = $tx->error;
    $promise->resolve($tx) if !$err || $err->{code};
    $promise->reject($err->{message});
  });
  return $promise;
}

# Perform non-blocking operations sequentially
get('http://mojolicious.org')->then(sub {
  my $mojo = shift;
  say $mojo->res->code;
  return get('http://metacpan.org');
})->then(sub {
  my $cpan = shift;
  say $cpan->res->code;
})->catch(sub {
  my $err = shift;
  warn "Something went wrong: $err";
})->wait;

# Synchronize non-blocking operations (all)
my $mojo = get('http://mojolicious.org');
my $cpan = get('http://metacpan.org');
Mojo::Promise->all($mojo, $cpan)->then(sub {
  my ($mojo, $cpan) = @_;
  say $mojo->[0]->res->code;
  say $cpan->[0]->res->code;
})->catch(sub {
  my $err = shift;
  warn "Something went wrong: $err";
})->wait;

# Synchronize non-blocking operations (race)
my $mojo = get('http://mojolicious.org');
my $cpan = get('http://metacpan.org');
Mojo::Promise->race($mojo, $cpan)->then(sub {
  my $tx = shift;
  say $tx->req->url, ' won!';
})->catch(sub {
  my $err = shift;
  warn "Something went wrong: $err";
})->wait;

DESCRIPTION

Mojo::Promise is a Perl-ish implementation of Promises/A+.

ATTRIBUTES

Mojo::Promise implements the following attributes.

ioloop

my $loop = $promise->ioloop;
$promise = $promise->ioloop(Mojo::IOLoop->new);

Event loop object to control, defaults to the global Mojo::IOLoop singleton.

METHODS

Mojo::Promise inherits all methods from Mojo::Base and implements the following new ones.

all

my $new = Mojo::Promise->all(@promises);

Returns a new Mojo::Promise object that either fulfills when all of the passed Mojo::Promise objects have fulfilled or rejects as soon as one of them rejects. If the returned promise fulfills, it is fulfilled with the values from the fulfilled promises in the same order as the passed promises. This method can be useful for aggregating results of multiple promises.

catch

my $new = $promise->catch(sub {...});

Appends a rejection handler callback to the promise, and returns a new Mojo::Promise object resolving to the return value of the callback if it is called, or to its original fulfillment value if the promise is instead fulfilled.

# Longer version
my $new = $promise->then(undef, sub {...});

# Pass along the rejection reason
$promise->catch(sub {
  my @reason = @_;
  warn "Something went wrong: $reason[0]";
  return @reason;
});

# Change the rejection reason
$promise->catch(sub {
  my @reason = @_;
  return "This is bad: $reason[0]";
});

finally

my $new = $promise->finally(sub {...});

Appends a fulfillment and rejection handler to the promise, and returns a new Mojo::Promise object resolving to the original fulfillment value or rejection reason.

# Do something on fulfillment and rejection
$promise->finally(sub {
  my @value_or_reason = @_;
  say "We are done!";
});

race

my $new = Mojo::Promise->race(@promises);

Returns a new Mojo::Promise object that fulfills or rejects as soon as one of the passed Mojo::Promise objects fulfills or rejects, with the value or reason from that promise.

reject

$promise = $promise->reject(@reason);

Reject the promise with one or more rejection reasons.

# Generate rejected promise
my $promise = Mojo::Promise->new->reject('Something went wrong: Oops');

resolve

$promise = $promise->resolve(@value);

Resolve the promise with one or more fulfillment values.

# Generate fulfilled promise
my $promise = Mojo::Promise->new->resolve('The result is: 24');

then

my $new = $promise->then(sub {...});
my $new = $promise->then(sub {...}, sub {...});
my $new = $promise->then(undef, sub {...});

Appends fulfillment and rejection handlers to the promise, and returns a new Mojo::Promise object resolving to the return value of the called handler.

# Pass along the fulfillment value or rejection reason
$promise->then(
  sub {
    my @value = @_;
    say "The result is $value[0]";
    return @value;
  },
  sub {
    my @reason = @_;
    warn "Something went wrong: $reason[0]";
    return @reason;
  }
);

# Change the fulfillment value or rejection reason
$promise->then(
  sub {
    my @value = @_;
    return "This is good: $value[0]";
  },
  sub {
    my @reason = @_;
    return "This is bad: $reason[0]";
  }
);

wait

$promise->wait;

Start "ioloop" and stop it again once the promise has been fulfilled or rejected, does nothing when "ioloop" is already running.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)