/ 
Mojolicious-0.999922
⭐ Starred 2674 / Mojo::Headers
Security Advisories (14)
CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CVE-2010-4802 (2011-05-03)

Commands.pm in Mojolicious before 0.999928 does not properly perform CGI environment detection, which has unspecified impact and remote attack vectors.

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2011-1841 (2011-03-10)

Mojolicious is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by link_to helper. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2010-4803 (2011-05-03)

Mojolicious before 0.999927 does not properly implement HMAC-MD5 checksums, which has unspecified impact and remote attack vectors.

CVE-2011-1841 (2011-05-03)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

NAME

Mojo::Headers - Headers

SYNOPSIS

use Mojo::Headers;

my $headers = Mojo::Headers->new;
$headers->content_type('text/plain');
$headers->parse("Content-Type: text/html\n\n");
print "$headers";

DESCRIPTION

Mojo::Headers is a container and parser for HTTP headers.

ATTRIBUTES

Mojo::Headers inherits all attributes from Mojo::Stateful and implements the following new ones.

buffer

my $buffer = $headers->buffer;
$headers   = $headers->buffer(Mojo::ByteStream->new);

The Buffer to use for header parsing, by default a Mojo::ByteStream object.

accept_language

my $accept_language = $headers->accept_language;
$headers            = $headers->accept_language('de, en');

Shortcut for the Accept-Language header.

connection

my $connection = $headers->connection;
$headers       = $headers->connection('close');

Shortcut for the Connection header.

content_disposition

my $content_disposition = $headers->content_disposition;
$headers                = $headers->content_disposition('foo');

Shortcut for the Content-Disposition header.

content_length

my $content_length = $headers->content_length;
$headers           = $headers->content_length(4000);

Shortcut for the Content-Length header.

content_transfer_encoding

my $encoding = $headers->content_transfer_encoding;
$headers     = $headers->content_transfer_encoding('foo');

Shortcut for the Content-Transfer-Encoding header.

content_type

my $content_type = $headers->content_type;
$headers         = $headers->content_type('text/plain');

Shortcut for the Content-Type header.

my $cookie = $headers->cookie;
$headers   = $headers->cookie('$Version=1; f=b; $Path=/');

Shortcut for the Cookie header.

date

my $date = $headers->date;
$headers = $headers->date('Sun, 17 Aug 2008 16:27:35 GMT');

Shortcut for the Date header.

expect

my $expect = $headers->expect;
$headers   = $headers->expect('100-continue');

Shortcut for the Expect header.

host

my $host = $headers->host;
$headers = $headers->host('127.0.0.1');

Shortcut for the Host header.

location

my $location = $headers->location;
$headers     = $headers->location('http://127.0.0.1/foo');

Shortcut for the Location header.

origin

my $origin = $headers->origin;
$headers   = $headers->origin('http://example.com');

Shortcut for the Origin header.

proxy_authorization

my $proxy_authorization = $headers->proxy_authorization;
$headers = $headers->proxy_authorization('Basic Zm9vOmJhcg==');

Shortcut for the Proxy-Authorization header.

server

my $server = $headers->server;
$headers   = $headers->server('Mojo');

Shortcut for the Server header.

my $set_cookie = $headers->set_cookie;
$headers       = $headers->set_cookie('f=b; Version=1; Path=/');

Shortcut for the Set-Cookie header.

set_cookie2

my $set_cookie2 = $headers->set_cookie2;
$headers        = $headers->set_cookie2('f=b; Version=1; Path=/');

Shortcut for the Set-Cookie2 header.

status

my $status = $headers->status;
$headers   = $headers->status('200 OK');

Shortcut for the Status header.

trailer

my $trailer = $headers->trailer;
$headers    = $headers->trailer('X-Foo');

Shortcut for the Trailer header.

transfer_encoding

my $transfer_encoding = $headers->transfer_encoding;
$headers              = $headers->transfer_encoding('chunked');

Shortcut for the Transfer-Encoding header.

upgrade

my $upgrade = $headers->upgrade;
$headers    = $headers->upgrade('WebSocket');

Shortcut for the Upgrade header.

user_agent

my $user_agent = $headers->user_agent;
$headers       = $headers->user_agent('Mojo/1.0');

Shortcut for the User-Agent header.

websocket_location

my $location = $headers->websocket_location;
$headers     = $headers->websocket_location('ws://example.com/demo');

Shortcut for the WebSocket-Location header.

websocket_origin

my $origin = $headers->websocket_origin;
$headers   = $headers->websocket_origin('http://example.com');

Shortcut for the WebSocket-Origin header.

websocket_protocol

my $protocol = $headers->websocket_protocol;
$headers     = $headers->websocket_protocol('sample');

Shortcut for the WebSocket-Protocol header.

METHODS

Mojo::Headers inherits all methods from Mojo::Stateful and implements the following new ones.

add

$headers = $headers->add('Content-Type', 'text/plain');

Add one or more header lines.

to_string

build

my $string = $headers->build;
my $string = $headers->to_string;
my $string = "$headers";

Format headers suitable for HTTP 1.1 messages.

from_hash

$headers = $headers->from_hash({'Content-Type' => 'text/html'});

Parse headers from a hash.

my $string = $headers->header('Content-Type');
my @lines  = $headers->header('Content-Type');
$headers   = $headers->header('Content-Type' => 'text/plain');

Get or replace the current header values. Note that this method is context sensitive and will turn all header lines into a single one in scalar context.

names

my $names = $headers->names;

Generate a list of all currently defined headers.

parse

my $success = $headers->parse("Content-Type: text/foo\n\n");

Parse formatted headers.

remove

$headers = $headers->remove('Content-Type');

Remove a header.

to_hash

my $hash = $headers->to_hash;
my $hash = $headers->to_hash(arrayref => 1);

Format headers as a hash. Nested arrayrefs to represent multi line values are optional.

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicious.org.