/ 
Mojolicious-5.21
⭐ Starred 2674
/ Mojo::Util
Security Advisories (10)
CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

NAME

Mojo::Util - Portable utility functions

SYNOPSIS

use Mojo::Util qw(b64_encode url_escape url_unescape);

my $str = 'test=23';
my $escaped = url_escape $str;
say url_unescape $escaped;
say b64_encode $escaped, '';

DESCRIPTION

Mojo::Util provides portable utility functions for Mojo.

FUNCTIONS

Mojo::Util implements the following functions, which can be imported individually.

b64_decode

my $bytes = b64_decode $b64;

Base64 decode bytes.

b64_encode

my $b64 = b64_encode $bytes;
my $b64 = b64_encode $bytes, "\n";

Base64 encode bytes, the line ending defaults to a newline.

camelize

my $camelcase = camelize $snakecase;

Convert snake_case string to CamelCase and replace - with ::.

# "FooBar"
camelize 'foo_bar';

# "FooBar::Baz"
camelize 'foo_bar-baz';

# "FooBar::Baz"
camelize 'FooBar::Baz';

class_to_file

my $file = class_to_file 'Foo::Bar';

Convert a class name to a file.

# "foo_bar"
class_to_file 'Foo::Bar';

# "foobar"
class_to_file 'FOO::Bar';

# "foo_bar"
class_to_file 'FooBar';

# "foobar"
class_to_file 'FOOBar';

class_to_path

my $path = class_to_path 'Foo::Bar';

Convert class name to path.

# "Foo/Bar.pm"
class_to_path 'Foo::Bar';

# "FooBar.pm"
class_to_path 'FooBar';

decamelize

my $snakecase = decamelize $camelcase;

Convert CamelCase string to snake_case and replace :: with -.

# "foo_bar"
decamelize 'FooBar';

# "foo_bar-baz"
decamelize 'FooBar::Baz';

# "foo_bar-baz"
decamelize 'foo_bar-baz';

decode

my $chars = decode 'UTF-8', $bytes;

Decode bytes to characters and return undef if decoding failed.

deprecated

deprecated 'foo is DEPRECATED in favor of bar';

Warn about deprecated feature from perspective of caller. You can also set the MOJO_FATAL_DEPRECATIONS environment variable to make them die instead.

dumper

my $perl = dumper {some => 'data'};

Dump a Perl data structure with Data::Dumper.

encode

my $bytes = encode 'UTF-8', $chars;

Encode characters to bytes.

hmac_sha1_sum

my $checksum = hmac_sha1_sum $bytes, 'passw0rd';

Generate HMAC-SHA1 checksum for bytes.

html_unescape

my $str = html_unescape $escaped;

Unescape all HTML entities in string.

md5_bytes

my $checksum = md5_bytes $bytes;

Generate binary MD5 checksum for bytes.

md5_sum

my $checksum = md5_sum $bytes;

Generate MD5 checksum for bytes.

monkey_patch

monkey_patch $package, foo => sub {...};
monkey_patch $package, foo => sub {...}, bar => sub {...};

Monkey patch functions into package.

monkey_patch 'MyApp',
  one   => sub { say 'One!' },
  two   => sub { say 'Two!' },
  three => sub { say 'Three!' };

punycode_decode

my $str = punycode_decode $punycode;

Punycode decode string as described in RFC 3492.

punycode_encode

my $punycode = punycode_encode $str;

Punycode encode string as described in RFC 3492.

quote

my $quoted = quote $str;

Quote string.

secure_compare

my $bool = secure_compare $str1, $str2;

Constant time comparison algorithm to prevent timing attacks.

sha1_bytes

my $checksum = sha1_bytes $bytes;

Generate binary SHA1 checksum for bytes.

sha1_sum

my $checksum = sha1_sum $bytes;

Generate SHA1 checksum for bytes.

slurp

my $bytes = slurp '/etc/passwd';

Read all data at once from file.

split_header

my $tree = split_header 'foo="bar baz"; test=123, yada';

Split HTTP header value.

# "one"
split_header('one; two="three four", five=six')->[0][0];

# "three four"
split_header('one; two="three four", five=six')->[0][3];

# "five"
split_header('one; two="three four", five=six')->[1][0];

spurt

$bytes = spurt $bytes, '/etc/passwd';

Write all data at once to file.

squish

my $squished = squish $str;

Trim whitespace characters from both ends of string and then change all consecutive groups of whitespace into one space each.

steady_time

my $time = steady_time;

High resolution time, resilient to time jumps if a monotonic clock is available through Time::HiRes.

tablify

my $table = tablify [['foo', 'bar'], ['baz', 'yada']];

Row-oriented generator for text tables.

# "foo   bar\nyada  yada\nbaz   yada\n"
tablify [['foo', 'bar'], ['yada', 'yada'], ['baz', 'yada']];

trim

my $trimmed = trim $str;

Trim whitespace characters from both ends of string.

unindent

my $unindented = unindent $str;

Unindent multiline string.

unquote

my $str = unquote $quoted;

Unquote string.

url_escape

my $escaped = url_escape $str;
my $escaped = url_escape $str, '^A-Za-z0-9\-._~';

Percent encode unsafe characters in string as described in RFC 3986, the pattern used defaults to ^A-Za-z0-9\-._~.

url_unescape

my $str = url_unescape $escaped;

Decode percent encoded characters in string as described in RFC 3986.

xml_escape

my $escaped = xml_escape $str;

Escape unsafe characters &, <, >, " and ' in string.

xor_encode

my $encoded = xor_encode $str, $key;

XOR encode string with variable length key.

SEE ALSO

Mojolicious, Mojolicious::Guides, http://mojolicio.us.