Security Advisories (2)

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

CVE-2024-58135 (2025-05-03)

Mojolicious versions from 7.28 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

NAME

Mojo::Headers - HTTP headers

SYNOPSIS

use Mojo::Headers;

# Parse
my $headers = Mojo::Headers->new;
$headers->parse("Content-Length: 42\x0d\x0a");
$headers->parse("Content-Type: text/html\x0d\x0a\x0d\x0a");
say $headers->content_length;
say $headers->content_type;

# Build
my $headers = Mojo::Headers->new;
$headers->content_length(42);
$headers->content_type('text/plain');
say $headers->to_string;

DESCRIPTION

Mojo::Headers is a container for HTTP headers, based on RFC 7230 and RFC 7231.

ATTRIBUTES

Mojo::Headers implements the following attributes.

max_line_size

my $size = $headers->max_line_size;
$headers = $headers->max_line_size(1024);

Maximum header line size in bytes, defaults to the value of the MOJO_MAX_LINE_SIZE environment variable or 8192 (8KiB).

max_lines

my $num  = $headers->max_lines;
$headers = $headers->max_lines(200);

Maximum number of header lines, defaults to the value of the MOJO_MAX_LINES environment variable or 100.

METHODS

Mojo::Headers inherits all methods from Mojo::Base and implements the following new ones.

add

$headers = $headers->add(Foo => 'one value');
$headers = $headers->add(Foo => 'first value', 'second value');

Add header with one or more lines.

# "Vary: Accept
#  Vary: Accept-Encoding"
$headers->add(Vary => 'Accept')->add(Vary => 'Accept-Encoding')->to_string;

append

$headers = $headers->append(Vary => 'Accept-Encoding');

Append value to header and flatten it if necessary.

# "Vary: Accept"
$headers->append(Vary => 'Accept')->to_string;

# "Vary: Accept, Accept-Encoding"
$headers->vary('Accept')->append(Vary => 'Accept-Encoding')->to_string;

clone

my $clone = $headers->clone;

Return a new Mojo::Headers object cloned from these headers.

dehop

$headers = $headers->dehop;

Remove hop-by-hop headers that should not be retransmitted.

every_header

my $all = $headers->every_header('Location');

Similar to "header", but returns all headers sharing the same name as an array reference.

# Get first header value
say $headers->every_header('Location')->[0];

from_hash

$headers = $headers->from_hash({'Cookie' => 'a=b'});
$headers = $headers->from_hash({'Cookie' => ['a=b', 'c=d']});
$headers = $headers->from_hash({});

Parse headers from a hash reference, an empty hash removes all headers.

my $value = $headers->header('Foo');
$headers  = $headers->header(Foo => 'one value');
$headers  = $headers->header(Foo => 'first value', 'second value');

Get or replace the current header values.

is_finished

my $bool = $headers->is_finished;

Check if header parser is finished.

is_limit_exceeded

my $bool = $headers->is_limit_exceeded;

Check if headers have exceeded "max_line_size" or "max_lines".

leftovers

my $bytes = $headers->leftovers;

Get and remove leftover data from header parser.

names

my $names = $headers->names;

Return an array reference with all currently defined headers.

# Names of all headers
say for @{$headers->names};

parse

$headers = $headers->parse("Content-Type: text/plain\x0d\x0a\x0d\x0a");

Parse formatted headers.

remove

$headers = $headers->remove('Foo');

Remove a header.

to_hash

my $single = $headers->to_hash;
my $multi  = $headers->to_hash(1);

Turn headers into hash reference, array references to represent multiple headers with the same name are disabled by default.

say $headers->to_hash->{DNT};

to_string

my $str = $headers->to_string;

Turn headers into a string, suitable for HTTP messages.

ADDITIONAL METHODS

Additionally, the following shortcuts are available, for accessing and manipulating commonly-used headers:

accept

my $accept = $headers->accept;
$headers   = $headers->accept('application/json');

Get or replace current header value, shortcut for the Accept header.

accept_charset

my $charset = $headers->accept_charset;
$headers    = $headers->accept_charset('UTF-8');

Get or replace current header value, shortcut for the Accept-Charset header.

accept_encoding

my $encoding = $headers->accept_encoding;
$headers     = $headers->accept_encoding('gzip');

Get or replace current header value, shortcut for the Accept-Encoding header.

accept_language

my $language = $headers->accept_language;
$headers     = $headers->accept_language('de, en');

Get or replace current header value, shortcut for the Accept-Language header.

accept_ranges

my $ranges = $headers->accept_ranges;
$headers   = $headers->accept_ranges('bytes');

Get or replace current header value, shortcut for the Accept-Ranges header.

access_control_allow_origin

my $origin = $headers->access_control_allow_origin;
$headers   = $headers->access_control_allow_origin('*');

Get or replace current header value, shortcut for the Access-Control-Allow-Origin header from Cross-Origin Resource Sharing.

allow

my $allow = $headers->allow;
$headers  = $headers->allow('GET, POST');

Get or replace current header value, shortcut for the Allow header.

authorization

my $authorization = $headers->authorization;
$headers          = $headers->authorization('Basic Zm9vOmJhcg==');

Get or replace current header value, shortcut for the Authorization header.

cache_control

my $cache_control = $headers->cache_control;
$headers          = $headers->cache_control('max-age=1, no-cache');

Get or replace current header value, shortcut for the Cache-Control header.

connection

my $connection = $headers->connection;
$headers       = $headers->connection('close');

Get or replace current header value, shortcut for the Connection header.

content_disposition

my $disposition = $headers->content_disposition;
$headers        = $headers->content_disposition('foo');

Get or replace current header value, shortcut for the Content-Disposition header.

content_encoding

my $encoding = $headers->content_encoding;
$headers     = $headers->content_encoding('gzip');

Get or replace current header value, shortcut for the Content-Encoding header.

content_language

my $language = $headers->content_language;
$headers     = $headers->content_language('en');

Get or replace current header value, shortcut for the Content-Language header.

content_length

my $len  = $headers->content_length;
$headers = $headers->content_length(4000);

Get or replace current header value, shortcut for the Content-Length header.

content_location

my $location = $headers->content_location;
$headers     = $headers->content_location('http://127.0.0.1/foo');

Get or replace current header value, shortcut for the Content-Location header.

content_range

my $range = $headers->content_range;
$headers  = $headers->content_range('bytes 2-8/100');

Get or replace current header value, shortcut for the Content-Range header.

content_security_policy

my $policy = $headers->content_security_policy;
$headers   = $headers->content_security_policy('default-src https:');

Get or replace current header value, shortcut for the Content-Security-Policy header from Content Security Policy 1.0.

content_type

my $type = $headers->content_type;
$headers = $headers->content_type('text/plain');

Get or replace current header value, shortcut for the Content-Type header.

my $cookie = $headers->cookie;
$headers   = $headers->cookie('f=b');

Get or replace current header value, shortcut for the Cookie header from RFC 6265.

date

my $date = $headers->date;
$headers = $headers->date('Sun, 17 Aug 2008 16:27:35 GMT');

Get or replace current header value, shortcut for the Date header.

dnt

my $dnt  = $headers->dnt;
$headers = $headers->dnt(1);

Get or replace current header value, shortcut for the DNT (Do Not Track) header, which has no specification yet, but is very commonly used.

etag

my $etag = $headers->etag;
$headers = $headers->etag('"abc321"');

Get or replace current header value, shortcut for the ETag header.

expect

my $expect = $headers->expect;
$headers   = $headers->expect('100-continue');

Get or replace current header value, shortcut for the Expect header.

expires

my $expires = $headers->expires;
$headers    = $headers->expires('Thu, 01 Dec 1994 16:00:00 GMT');

Get or replace current header value, shortcut for the Expires header.

host

my $host = $headers->host;
$headers = $headers->host('127.0.0.1');

Get or replace current header value, shortcut for the Host header.

if_modified_since

my $date = $headers->if_modified_since;
$headers = $headers->if_modified_since('Sun, 17 Aug 2008 16:27:35 GMT');

Get or replace current header value, shortcut for the If-Modified-Since header.

if_none_match

my $etag = $headers->if_none_match;
$headers = $headers->if_none_match('"abc321"');

Get or replace current header value, shortcut for the If-None-Match header.

last_modified

my $date = $headers->last_modified;
$headers = $headers->last_modified('Sun, 17 Aug 2008 16:27:35 GMT');

Get or replace current header value, shortcut for the Last-Modified header.

link

my $link = $headers->link;
$headers = $headers->link('<http://127.0.0.1/foo/3>; rel="next"');

Get or replace current header value, shortcut for the Link header from RFC 5988.

links

my $links = $headers->links;
$headers  = $headers->links({next => 'http://example.com/foo', prev => 'http://example.com/bar'});

Get or set web links from or to Link header according to RFC 5988.

# Extract information about next page
say $headers->links->{next}{link};
say $headers->links->{next}{title};

location

my $location = $headers->location;
$headers     = $headers->location('http://127.0.0.1/foo');

Get or replace current header value, shortcut for the Location header.

origin

my $origin = $headers->origin;
$headers   = $headers->origin('http://example.com');

Get or replace current header value, shortcut for the Origin header from RFC 6454.

proxy_authenticate

my $authenticate = $headers->proxy_authenticate;
$headers         = $headers->proxy_authenticate('Basic "realm"');

Get or replace current header value, shortcut for the Proxy-Authenticate header.

proxy_authorization

my $authorization = $headers->proxy_authorization;
$headers          = $headers->proxy_authorization('Basic Zm9vOmJhcg==');

Get or replace current header value, shortcut for the Proxy-Authorization header.

range

my $range = $headers->range;
$headers  = $headers->range('bytes=2-8');

Get or replace current header value, shortcut for the Range header.

referer

my $referrer = $headers->referer;
$headers     = $headers->referer('http://example.com');

Alias for "referrer".

referrer

my $referrer = $headers->referrer;
$headers     = $headers->referrer('http://example.com');

Get or replace current header value, shortcut for the Referer header, there was a typo in RFC 2068 which resulted in Referer becoming an official header.

sec_websocket_accept

my $accept = $headers->sec_websocket_accept;
$headers   = $headers->sec_websocket_accept('s3pPLMBiTxaQ9kYGzzhZRbK+xOo=');

Get or replace current header value, shortcut for the Sec-WebSocket-Accept header from RFC 6455.

sec_websocket_extensions

my $extensions = $headers->sec_websocket_extensions;
$headers       = $headers->sec_websocket_extensions('foo');

Get or replace current header value, shortcut for the Sec-WebSocket-Extensions header from RFC 6455.

sec_websocket_key

my $key  = $headers->sec_websocket_key;
$headers = $headers->sec_websocket_key('dGhlIHNhbXBsZSBub25jZQ==');

Get or replace current header value, shortcut for the Sec-WebSocket-Key header from RFC 6455.

sec_websocket_protocol

my $proto = $headers->sec_websocket_protocol;
$headers  = $headers->sec_websocket_protocol('sample');

Get or replace current header value, shortcut for the Sec-WebSocket-Protocol header from RFC 6455.

sec_websocket_version

my $version = $headers->sec_websocket_version;
$headers    = $headers->sec_websocket_version(13);

Get or replace current header value, shortcut for the Sec-WebSocket-Version header from RFC 6455.

server

my $server = $headers->server;
$headers   = $headers->server('Mojo');

Get or replace current header value, shortcut for the Server header.

server_timing

my $timing = $headers->server_timing;
$headers   = $headers->server_timing('app;desc=Mojolicious;dur=0.0001');

Get or replace current header value, shortcut for the Server-Timing header from Server Timing.

set_cookie

my $cookie = $headers->set_cookie;
$headers   = $headers->set_cookie('f=b; path=/');

Get or replace current header value, shortcut for the Set-Cookie header from RFC 6265.

status

my $status = $headers->status;
$headers   = $headers->status('200 OK');

Get or replace current header value, shortcut for the Status header from RFC 3875.

strict_transport_security

my $policy = $headers->strict_transport_security;
$headers   = $headers->strict_transport_security('max-age=31536000');

Get or replace current header value, shortcut for the Strict-Transport-Security header from RFC 6797.

te

my $te   = $headers->te;
$headers = $headers->te('chunked');

Get or replace current header value, shortcut for the TE header.

trailer

my $trailer = $headers->trailer;
$headers    = $headers->trailer('X-Foo');

Get or replace current header value, shortcut for the Trailer header.

transfer_encoding

my $encoding = $headers->transfer_encoding;
$headers     = $headers->transfer_encoding('chunked');

Get or replace current header value, shortcut for the Transfer-Encoding header.

upgrade

my $upgrade = $headers->upgrade;
$headers    = $headers->upgrade('websocket');

Get or replace current header value, shortcut for the Upgrade header.

user_agent

my $agent = $headers->user_agent;
$headers  = $headers->user_agent('Mojo/1.0');

Get or replace current header value, shortcut for the User-Agent header.

vary

my $vary = $headers->vary;
$headers = $headers->vary('*');

Get or replace current header value, shortcut for the Vary header.

www_authenticate

my $authenticate = $headers->www_authenticate;
$headers         = $headers->www_authenticate('Basic realm="realm"');

Get or replace current header value, shortcut for the WWW-Authenticate header.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)