/ 
Mojolicious-3.13
⭐ Starred 2674
/ Mojo::Util
Security Advisories (10)
CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojo::Util - Portable utility functions

SYNOPSIS

use Mojo::Util qw(b64_encode url_escape url_unescape);

my $string = 'test=23';
my $escaped = url_escape $string;
say url_unescape $escaped;
say b64_encode $escaped, '';

DESCRIPTION

Mojo::Util provides portable utility functions for Mojo.

FUNCTIONS

Mojo::Util implements the following functions.

b64_decode

my $string = b64_decode $b64;

Base64 decode string.

b64_encode

my $b64 = b64_encode $string;
my $b64 = b64_encode $string, "\n";

Base64 encode string, the line ending defaults to a newline.

camelize

my $camelcase = camelize $snakecase;

Convert snake case string to camel case and replace - with ::.

# "FooBar"
camelize 'foo_bar';

# "FooBar::Baz"
camelize 'foo_bar-baz';

# "FooBar::Baz"
camelize 'FooBar::Baz';

class_to_file

my $file = class_to_file 'Foo::Bar';

Convert a class name to a file.

Foo::Bar -> foo_bar
FOO::Bar -> foobar
FooBar   -> foo_bar
FOOBar   -> foobar

class_to_path

my $path = class_to_path 'Foo::Bar';

Convert class name to path.

Foo::Bar -> Foo/Bar.pm

decamelize

my $snakecase = decamelize $camelcase;

Convert camel case string to snake case and replace :: with -.

# "foo_bar"
decamelize 'FooBar';

# "foo_bar-baz"
decamelize 'FooBar::Baz';

# "foo_bar-baz"
decamelize 'foo_bar-baz';

decode

my $chars = decode 'UTF-8', $bytes;

Decode bytes to characters and return undef if decoding failed.

encode

my $bytes = encode 'UTF-8', $chars;

Encode characters to bytes.

get_line

my $line = get_line \$string;

Extract whole line from string or return undef. Lines are expected to end with 0x0d 0x0a or 0x0a.

hmac_md5_sum

my $checksum = hmac_md5_sum $string, 'passw0rd';

Generate HMAC-MD5 checksum for string.

hmac_sha1_sum

my $checksum = hmac_sha1_sum $string, 'passw0rd';

Generate HMAC-SHA1 checksum for string.

html_escape

my $escaped = html_escape $string;
my $escaped = html_escape $string, '^\n\r\t !#$%(-;=?-~';

Escape unsafe characters in string with HTML5 entities, the pattern used defaults to ^\n\r\t !#$%(-;=?-~.

html_unescape

my $string = html_unescape $escaped;

Unescape all HTML5 entities in string.

md5_bytes

my $checksum = md5_bytes $string;

Generate binary MD5 checksum for string.

md5_sum

my $checksum = md5_sum $string;

Generate MD5 checksum for string.

punycode_decode

my $string = punycode_decode $punycode;

Punycode decode string.

punycode_encode

my $punycode = punycode_encode $string;

Punycode encode string.

quote

my $quoted = quote $string;

Quote string.

secure_compare

my $success = secure_compare $string1, $string2;

Constant time comparison algorithm to prevent timing attacks.

sha1_bytes

my $checksum = sha1_bytes $string;

Generate binary SHA1 checksum for string.

sha1_sum

my $checksum = sha1_sum $string;

Generate SHA1 checksum for string.

slurp

my $content = slurp '/etc/passwd';

Read all data at once from file.

spurt

$content = spurt $content, '/etc/passwd';

Write all data at once to file.

trim

my $trimmed = trim $string;

Trim whitespace characters from both ends of string.

unquote

my $string = unquote $quoted;

Unquote string.

url_escape

my $escaped = url_escape $string;
my $escaped = url_escape $string, '^A-Za-z0-9\-._~';

Percent-encode unsafe characters in string, the pattern used defaults to ^A-Za-z0-9\-._~.

url_unescape

my $string = url_unescape $escaped;

Decode percent-encoded characters in string.

xml_escape

my $escaped = xml_escape $string;

Escape only the characters &, <, >, " and ' in string, this is a much faster version of html_escape.

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicio.us.