Security Advisories (2)

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

CVE-2024-58135 (2025-05-03)

Mojolicious versions from 7.28 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

NAME

Mojo::WebSocket - The WebSocket protocol

SYNOPSIS

use Mojo::WebSocket qw(WS_TEXT build_frame parse_frame);

my $bytes = build_frame 0, 1, 0, 0, 0, WS_TEXT, 'Hello World!';
my $frame = parse_frame \$bytes, 262144;

DESCRIPTION

Mojo::WebSocket implements the WebSocket protocol as described in RFC 6455. Note that 64-bit frames require a Perl with support for quads or they are limited to 32-bit.

FUNCTIONS

Mojo::WebSocket implements the following functions, which can be imported individually.

build_frame

my $bytes = build_frame $masked, $fin, $rsv1, $rsv2, $rsv3, $op, $payload;

Build WebSocket frame.

# Masked binary frame with FIN bit and payload
say build_frame 1, 1, 0, 0, 0, WS_BINARY, 'Hello World!';

# Text frame with payload but without FIN bit
say build_frame 0, 0, 0, 0, 0, WS_TEXT, 'Hello ';

# Continuation frame with FIN bit and payload
say build_frame 0, 1, 0, 0, 0, WS_CONTINUATION, 'World!';

# Close frame with FIN bit and without payload
say build_frame 0, 1, 0, 0, 0, WS_CLOSE, '';

# Ping frame with FIN bit and payload
say build_frame 0, 1, 0, 0, 0, WS_PING, 'Test 123';

# Pong frame with FIN bit and payload
say build_frame 0, 1, 0, 0, 0, WS_PONG, 'Test 123';

challenge

my $bool = challenge Mojo::Transaction::WebSocket->new;

Check WebSocket handshake challenge.

client_handshake

my $tx = client_handshake Mojo::Transaction::HTTP->new;

Perform WebSocket handshake client-side.

parse_frame

my $frame = parse_frame \$bytes, $limit;

Parse WebSocket frame.

# Parse single frame and remove it from buffer
my $frame = parse_frame \$buffer, 262144;
say "FIN: $frame->[0]";
say "RSV1: $frame->[1]";
say "RSV2: $frame->[2]";
say "RSV3: $frame->[3]";
say "Opcode: $frame->[4]";
say "Payload: $frame->[5]";

server_handshake

my $tx = server_handshake Mojo::Transaction::HTTP->new;

Perform WebSocket handshake server-side.

CONSTANTS

Mojo::WebSocket implements the following constants, which can be imported individually.

WS_BINARY

Opcode for Binary frames.

WS_CLOSE

Opcode for Close frames.

WS_CONTINUATION

Opcode for Continuation frames.

WS_PING

Opcode for Ping frames.

WS_PONG

Opcode for Pong frames.

WS_TEXT

Opcode for Text frames.

DEBUGGING

You can set the MOJO_WEBSOCKET_DEBUG environment variable to get some advanced diagnostics information printed to STDERR.

MOJO_WEBSOCKET_DEBUG=1

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)