Security Advisories (9)

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CVE-2020-36829 (2020-11-10)

Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.

https://github.com/mojolicious/mojo/pull/1601

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

CVE-2024-58135 (2025-05-03)

Mojolicious versions from 7.28 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

NAME

Mojo::File - File system paths

SYNOPSIS

use Mojo::File;

# Portably deal with file system paths
my $path = Mojo::File->new('/home/sri/.vimrc');
say $path->slurp;
say $path->dirname;
say $path->basename;
say $path->sibling('.bashrc');

# Use the alternative constructor
use Mojo::File 'path';
my $path = path('/tmp/foo/bar')->make_path;
$path->child('test.txt')->spurt('Hello Mojo!');

DESCRIPTION

Mojo::File is a scalar-based container for file system paths that provides a friendly API for dealing with different operating systems.

# Access scalar directly to manipulate path
my $path = Mojo::File->new('/home/sri/test');
$$path .= '.txt';

FUNCTIONS

Mojo::File implements the following functions, which can be imported individually.

path

my $path = path;
my $path = path('/home/sri/.vimrc');
my $path = path('/home', 'sri', '.vimrc');
my $path = path(File::Temp->newdir);

Construct a new scalar-based Mojo::File object, defaults to using the current working directory.

# "foo/bar/baz.txt" (on UNIX)
path('foo', 'bar', 'baz.txt');

tempdir

my $path = tempdir;
my $path = tempdir('tempXXXXX');

Construct a new scalar-based Mojo::File object for a temporary directory with File::Temp.

# Longer version
my $path = path(File::Temp->newdir('tempXXXXX'));

tempfile

my $path = tempfile;
my $path = tempfile(DIR => '/tmp');

Construct a new scalar-based Mojo::File object for a temporary file with File::Temp.

# Longer version
my $path = path(File::Temp->new(DIR => '/tmp'));

METHODS

Mojo::File implements the following methods.

basename

my $name = $path->basename;
my $name = $path->basename('.txt');

Return the last level of the path with File::Basename.

# ".vimrc" (on UNIX)
path('/home/sri/.vimrc')->basename;

# "test" (on UNIX)
path('/home/sri/test.txt')->basename('.txt');

child

my $child = $path->child('.vimrc');

Return a new Mojo::File object relative to the path.

# "/home/sri/.vimrc" (on UNIX)
path('/home')->child('sri', '.vimrc');

copy_to

my $destination = $path->copy_to('/home/sri');
my $destination = $path->copy_to('/home/sri/.vimrc.backup');

Copy file with File::Copy and return the destination as a Mojo::File object.

dirname

my $name = $path->dirname;

Return all but the last level of the path with File::Basename as a Mojo::File object.

# "/home/sri" (on UNIX)
path('/home/sri/.vimrc')->dirname;

is_abs

my $bool = $path->is_abs;

Check if the path is absolute.

# True (on UNIX)
path('/home/sri/.vimrc')->is_abs;

# False (on UNIX)
path('.vimrc')->is_abs;

list

my $collection = $path->list;
my $collection = $path->list({hidden => 1});

List all files in the directory and return a Mojo::Collection object containing the results as Mojo::File objects. The list does not include . and ...

# List files
say for path('/home/sri/myapp')->list->each;

These options are currently available:

dir

dir => 1

Include directories.

hidden

hidden => 1

Include hidden files.

list_tree

my $collection = $path->list_tree;
my $collection = $path->list_tree({hidden => 1});

List all files recursively in the directory and return a Mojo::Collection object containing the results as Mojo::File objects. The list does not include . and ...

# List all templates
say for path('/home/sri/myapp/templates')->list_tree->each;

These options are currently available:

dir

dir => 1

Include directories.

hidden

hidden => 1

Include hidden files and directories.

make_path

$path = $path->make_path;
$path = $path->make_path({mode => 0711});

Create the directories if they don't already exist, any additional arguments are passed through to File::Path.

move_to

my $destination = $path->move_to('/home/sri');
my $destination = $path->move_to('/home/sri/.vimrc.backup');

Move file with File::Copy and return the destination as a Mojo::File object.

new

my $path = Mojo::File->new;
my $path = Mojo::File->new('/home/sri/.vimrc');
my $path = Mojo::File->new('/home', 'sri', '.vimrc');
my $path = Mojo::File->new(File::Temp->new);
my $path = Mojo::File->new(File::Temp->newdir);

Construct a new Mojo::File object, defaults to using the current working directory.

# "foo/bar/baz.txt" (on UNIX)
Mojo::File->new('foo', 'bar', 'baz.txt');

open

my $handle = $path->open('+<');
my $handle = $path->open('r+');
my $handle = $path->open(O_RDWR);
my $handle = $path->open('<:encoding(UTF-8)');

Open file with IO::File.

# Combine "fcntl.h" constants
use Fcntl qw(O_CREAT O_EXCL O_RDWR);
my $handle = path('/home/sri/test.pl')->open(O_RDWR | O_CREAT | O_EXCL);

realpath

my $realpath = $path->realpath;

Resolve the path with Cwd and return the result as a Mojo::File object.

remove_tree

$path = $path->remove_tree;
$path = $path->remove_tree({keep_root => 1});

Delete this directory and any files and subdirectories it may contain, any additional arguments are passed through to File::Path.

sibling

my $sibling = $path->sibling('.vimrc');

Return a new Mojo::File object relative to the directory part of the path.

# "/home/sri/.vimrc" (on UNIX)
path('/home/sri/.bashrc')->sibling('.vimrc');

# "/home/sri/.ssh/known_hosts" (on UNIX)
path('/home/sri/.bashrc')->sibling('.ssh', 'known_hosts');

slurp

my $bytes = $path->slurp;

Read all data at once from the file.

spurt

$path = $path->spurt($bytes);
$path = $path->spurt(@chunks_of_bytes);

Write all data at once to the file.

tap

$path = $path->tap(sub {...});

Alias for "tap" in Mojo::Base.

to_abs

my $absolute = $path->to_abs;

Return absolute path as a Mojo::File object, the path does not need to exist on the file system.

to_array

my $parts = $path->to_array;

Split the path on directory separators.

# "home:sri:.vimrc" (on UNIX)
join ':', @{path('/home/sri/.vimrc')->to_array};

to_rel

my $relative = $path->to_rel('/some/base/path');

Return a relative path from the original path to the destination path as a Mojo::File object.

# "sri/.vimrc" (on UNIX)
path('/home/sri/.vimrc')->to_rel('/home');

to_string

my $str = $path->to_string;

Stringify the path.

with_roles

my $new_class = Mojo::File->with_roles('Mojo::File::Role::One');
my $new_class = Mojo::File->with_roles('+One', '+Two');
$path         = $path->with_roles('+One', '+Two');

Alias for "with_roles" in Mojo::Base.

OPERATORS

Mojo::File overloads the following operators.

array

my @parts = @$path;

Alias for "to_array".

bool

my $bool = !!$path;

Always true.

stringify

my $str = "$path";

Alias for "to_string".

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)