diff options
Diffstat (limited to 'pod')
| -rw-r--r-- | pod/perldelta.pod | 83 | ||||
| -rw-r--r-- | pod/perlfaq1.pod | 12 | ||||
| -rw-r--r-- | pod/perlfaq6.pod | 20 | ||||
| -rw-r--r-- | pod/perlop.pod | 56 | ||||
| -rw-r--r-- | pod/perlrun.pod | 5 | ||||
| -rw-r--r-- | pod/perlsec.pod | 5 | ||||
| -rw-r--r-- | pod/perltoc.pod | 37 |
7 files changed, 133 insertions, 85 deletions
diff --git a/pod/perldelta.pod b/pod/perldelta.pod index a8c0909a4c..9c85450dd0 100644 --- a/pod/perldelta.pod +++ b/pod/perldelta.pod @@ -16,8 +16,8 @@ cannot be built there, for lack of a reasonable command interpreter. =head1 Core Changes -Most importantly, many bugs were fixed. See the F<Changes> -file in the distribution for details. +Most importantly, many bugs were fixed, including several security +problems. See the F<Changes> file in the distribution for details. =head2 Compilation option: Binary compatibility with 5.003 @@ -36,7 +36,7 @@ variable as if its contents had appeared on a "#!perl" line at the beginning of your script, except that hyphens are optional. PERL5OPT may only be used to set the following switches: B<-[DIMUdmw]>. -=head2 Limitations on B<-M>, and C<-m>, and B<-T> options +=head2 Limitations on B<-M>, B<-m>, and B<-T> options The C<-M> and C<-m> options are no longer allowed on the C<#!> line of a script. If a script needs a module, it should invoke it with the @@ -158,6 +158,33 @@ previously-working script to now fail -- which should be construed as a blessing, since that indicates a potentially-serious security hole was just plugged. +The new restrictions when tainting include: + +=over + +=item No glob() or <*> + +These operators may spawn the C shell (csh), which cannot be made +safe. This restriction will be lifted in a future version of Perl +when globbing is implemented without the use of an external program. + +=item No spawning if tainted $CDPATH, $ENV, $BASH_ENV + +These environment variables may alter the behavior of spawned programs +(especially shells) in ways that subvert security. So now they are +treated as dangerous, in the manner of $IFS and $PATH. + +=item No spawning if tainted $TERM doesn't look like a terminal name + +Some termcap libraries do unsafe things with $TERM. However, it would be +unnecessarily harsh to treat all $TERM values as unsafe, since only shell +metacharacters can cause trouble in $TERM. So a tainted $TERM is +considered to be safe if it contains only alphanumerics, underscores, +dashes, and colons, and unsafe if it contains other characters (including +whitespace). + +=back + =head2 New Opcode module and revised Safe module A new Opcode module supports the creation, manipulation and @@ -182,8 +209,8 @@ it is now merely a front end to the IO::* modules -- specifically, IO::Handle, IO::Seekable, and IO::File. We suggest, but do not require, that you use the IO::* modules in new code. -In harmony with this change, C<*GLOB{FILEHANDLE}> is now a -backward-compatible synonym for C<*STDOUT{IO}>. +In harmony with this change, C<*GLOB{FILEHANDLE}> is now just a +backward-compatible synonym for C<*GLOB{IO}>. =head2 Internal change: PerlIO abstraction interface @@ -415,25 +442,16 @@ of course, or if you want a seed other than the default. Functions documented in the Camel to default to $_ now in fact do, and all those that do are so documented in L<perlfunc>. -=item C<m//g> does not reset search position on failure +=item C<m//gc> does not reset search position on failure -The C<m//g> match iteration construct used to reset its target string's -search position (which is visible through the C<pos> operator) when a -match failed; as a result, the next C<m//g> match would start at the -beginning of the string). With Perl 5.004, the search position must be -reset explicitly, as with C<pos $str = 0;>, or by modifying the target -string. This change in Perl makes it possible to chain matches together -in conjunction with the C<\G> zero-width assertion. See L<perlop> and -L<perlre>. - -Here is an illustration of what it takes to get the old behavior: - - for ( qw(this and that are not what you think you got) ) { - while ( /(\w*t\w*)/g ) { print "t word is: $1\n" } - pos = 0; # REQUIRED FOR 5.004 - while ( /(\w*a\w*)/g ) { print "a word is: $1\n" } - print "\n"; - } +The C<m//g> match iteration construct has always reset its target +string's search position (which is visible through the C<pos> operator) +when a match fails; as a result, the next C<m//g> match after a failure +starts again at the beginning of the string. With Perl 5.004, this +reset may be disabled by adding the "c" (for "continue") modifier, +i.e. C<m//gc>. This feature, in conjunction with the C<\G> zero-width +assertion, makes it possible to chain matches together. See L<perlop> +and L<perlre>. =item C<m//x> ignores whitespace before ?*+{} @@ -452,16 +470,16 @@ right. They do now. Just like anonymous functions that contain lexical variables that change (like a lexical index variable for a C<foreach> loop), formats now work properly. For example, this silently failed -before, and is fine now: +before (printed only zeros), but is fine now: my $i; foreach $i ( 1 .. 10 ) { - format = + write; + } + format = my i is @# $i . - write; - } =back @@ -1057,6 +1075,10 @@ new pods are included in section 1: This document. +=item L<perlfaq> + +Frequently asked questions. + =item L<perllocale> Locale support (internationalization and localization). @@ -1069,6 +1091,11 @@ Tutorial on Perl OO programming. Perl internal IO abstraction interface. +=item L<perlmodlib> + +Perl module library and recommended practice for module creation. +Extracted from L<perlmod> (which is much smaller as a result). + =item L<perldebug> Although not new, this has been massively updated. @@ -1519,4 +1546,4 @@ Constructed by Tom Christiansen, grabbing material with permission from innumerable contributors, with kibitzing by more than a few Perl porters. -Last update: Sat Mar 8 19:51:26 EST 1997 +Last update: Wed May 14 11:14:09 EDT 1997 diff --git a/pod/perlfaq1.pod b/pod/perlfaq1.pod index 6af40ae129..a9a5fd4858 100644 --- a/pod/perlfaq1.pod +++ b/pod/perlfaq1.pod @@ -50,12 +50,12 @@ users the informal support will more than suffice. See the answer to =head2 Which version of Perl should I use? You should definitely use version 5. Version 4 is old, limited, and -no longer maintained. Its last patch (4.036) was in 1992. The last -production release was 5.003, and the current experimental release for -those at the bleeding edge (as of 27/03/97) is 5.003_92, considered a beta -for production release 5.004, which will probably be out by the time -you read this. Further references to the Perl language in this document -refer to the current production release unless otherwise specified. +no longer maintained; its last patch (4.036) was in 1992. The most +recent production release is 5.004. Further references to the Perl +language in this document refer to this production release unless +otherwise specified. There may be one or more official bug fixes for +5.004 by the time you read this, and also perhaps some experimental +versions on the way to the next release. =head2 What are perl4 and perl5? diff --git a/pod/perlfaq6.pod b/pod/perlfaq6.pod index d21a11157b..535e464455 100644 --- a/pod/perlfaq6.pod +++ b/pod/perlfaq6.pod @@ -479,15 +479,17 @@ Or, using C<\G>, the much simpler (and faster): A more sophisticated use might involve a tokenizer. The following lex-like example is courtesy of Jeffrey Friedl. It did not work in -5.003 due to bugs in that release, but does work in 5.004 or better: +5.003 due to bugs in that release, but does work in 5.004 or better. +(Note the use of C</c>, which prevents a failed match with C</g> from +resetting the search position back to the beginning of the string.) while (<>) { chomp; PARSER: { - m/ \G( \d+\b )/gx && do { print "number: $1\n"; redo; }; - m/ \G( \w+ )/gx && do { print "word: $1\n"; redo; }; - m/ \G( \s+ )/gx && do { print "space: $1\n"; redo; }; - m/ \G( [^\w\d]+ )/gx && do { print "other: $1\n"; redo; }; + m/ \G( \d+\b )/gcx && do { print "number: $1\n"; redo; }; + m/ \G( \w+ )/gcx && do { print "word: $1\n"; redo; }; + m/ \G( \s+ )/gcx && do { print "space: $1\n"; redo; }; + m/ \G( [^\w\d]+ )/gcx && do { print "other: $1\n"; redo; }; } } @@ -496,19 +498,19 @@ Of course, that could have been written as while (<>) { chomp; PARSER: { - if ( /\G( \d+\b )/gx { + if ( /\G( \d+\b )/gcx { print "number: $1\n"; redo PARSER; } - if ( /\G( \w+ )/gx { + if ( /\G( \w+ )/gcx { print "word: $1\n"; redo PARSER; } - if ( /\G( \s+ )/gx { + if ( /\G( \s+ )/gcx { print "space: $1\n"; redo PARSER; } - if ( /\G( [^\w\d]+ )/gx { + if ( /\G( [^\w\d]+ )/gcx { print "other: $1\n"; redo PARSER; } diff --git a/pod/perlop.pod b/pod/perlop.pod index 7f39b9d4de..d853865520 100644 --- a/pod/perlop.pod +++ b/pod/perlop.pod @@ -697,18 +697,22 @@ If there are no parentheses, it returns a list of all the matched strings, as if there were parentheses around the whole pattern. In a scalar context, C<m//g> iterates through the string, returning TRUE -each time it matches, and FALSE when it eventually runs out of -matches. (In other words, it remembers where it left off last time and -restarts the search at that point. You can actually find the current -match position of a string or set it using the pos() function--see -L<perlfunc/pos>.) Note that you can use this feature to stack C<m//g> -matches or intermix C<m//g> matches with C<m/\G.../g>. Note that -the C<\G> zero-width assertion is not supported without the C</g> -modifier; currently, without C</g>, C<\G> behaves just like C<\A>, but -that's accidental and may change in the future. - -If you modify the string in any way, the match position is reset to the -beginning. Examples: +each time it matches, and FALSE when it eventually runs out of matches. +(In other words, it remembers where it left off last time and restarts +the search at that point. You can actually find the current match +position of a string or set it using the pos() function; see +L<perlfunc/pos>.) A failed match normally resets the search position to +the beginning of the string, but you can avoid that by adding the "c" +modifier (e.g. C<m//gc>). Modifying the target string also resets the +search position. + +You can intermix C<m//g> matches with C<m/\G.../g>, where C<\G> is a +zero-width assertion that matches the exact position where the previous +C<m//g>, if any, left off. The C<\G> assertion is not supported without +the C</g> modifier; currently, without C</g>, C<\G> behaves just like +C<\A>, but that's accidental and may change in the future. + +Examples: # list context ($one,$five,$fifteen) = (`uptime` =~ /(\d+\.\d+)/g); @@ -722,15 +726,15 @@ beginning. Examples: } print "$sentences\n"; - # using m//g with \G + # using m//gc with \G $_ = "ppooqppqq"; while ($i++ < 2) { print "1: '"; - print $1 while /(o)/g; print "', pos=", pos, "\n"; + print $1 while /(o)/gc; print "', pos=", pos, "\n"; print "2: '"; - print $1 if /\G(q)/g; print "', pos=", pos, "\n"; + print $1 if /\G(q)/gc; print "', pos=", pos, "\n"; print "3: '"; - print $1 while /(p)/g; print "', pos=", pos, "\n"; + print $1 while /(p)/gc; print "', pos=", pos, "\n"; } The last example should print: @@ -742,23 +746,23 @@ The last example should print: 2: 'q', pos=8 3: '', pos=8 -A useful idiom for C<lex>-like scanners is C</\G.../g>. You can +A useful idiom for C<lex>-like scanners is C</\G.../gc>. You can combine several regexps like this to process a string part-by-part, -doing different actions depending on which regexp matched. The next -regexp would step in at the place the previous one left off. +doing different actions depending on which regexp matched. Each +regexp tries to match where the previous one leaves off. $_ = <<'EOL'; $url = new URI::URL "http://www/"; die if $url eq "xXx"; EOL LOOP: { - print(" digits"), redo LOOP if /\G\d+\b[,.;]?\s*/g; - print(" lowercase"), redo LOOP if /\G[a-z]+\b[,.;]?\s*/g; - print(" UPPERCASE"), redo LOOP if /\G[A-Z]+\b[,.;]?\s*/g; - print(" Capitalized"), redo LOOP if /\G[A-Z][a-z]+\b[,.;]?\s*/g; - print(" MiXeD"), redo LOOP if /\G[A-Za-z]+\b[,.;]?\s*/g; - print(" alphanumeric"), redo LOOP if /\G[A-Za-z0-9]+\b[,.;]?\s*/g; - print(" line-noise"), redo LOOP if /\G[^A-Za-z0-9]+/g; + print(" digits"), redo LOOP if /\G\d+\b[,.;]?\s*/gc; + print(" lowercase"), redo LOOP if /\G[a-z]+\b[,.;]?\s*/gc; + print(" UPPERCASE"), redo LOOP if /\G[A-Z]+\b[,.;]?\s*/gc; + print(" Capitalized"), redo LOOP if /\G[A-Z][a-z]+\b[,.;]?\s*/gc; + print(" MiXeD"), redo LOOP if /\G[A-Za-z]+\b[,.;]?\s*/gc; + print(" alphanumeric"), redo LOOP if /\G[A-Za-z0-9]+\b[,.;]?\s*/gc; + print(" line-noise"), redo LOOP if /\G[^A-Za-z0-9]+/gc; print ". That's all!\n"; } diff --git a/pod/perlrun.pod b/pod/perlrun.pod index 6d8ee20a72..c4679e1def 100644 --- a/pod/perlrun.pod +++ b/pod/perlrun.pod @@ -593,8 +593,5 @@ honest: $ENV{PATH} = '/bin:/usr/bin'; # or whatever you need $ENV{SHELL} = '/bin/sh' if exists $ENV{SHELL}; - delete $ENV{IFS}; - delete $ENV{ENV}; - delete $ENV{CDPATH}; - $ENV{TERM} = 'dumb' if exists $ENV{TERM}; + delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; diff --git a/pod/perlsec.pod b/pod/perlsec.pod index 29a9167cf4..1a1ae21e81 100644 --- a/pod/perlsec.pod +++ b/pod/perlsec.pod @@ -58,10 +58,7 @@ For example: $path = $ENV{'PATH'}; # $path now tainted $ENV{'PATH'} = '/bin:/usr/bin'; - delete $ENV{'IFS'}; - delete $ENV{'CDPATH'}; - delete $ENV{'ENV'}; - $ENV{'TERM'} = 'dumb'; + delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; $path = $ENV{'PATH'}; # $path now NOT tainted system "echo $data"; # Is secure now! diff --git a/pod/perltoc.pod b/pod/perltoc.pod index 0340059b15..d58f12cf86 100644 --- a/pod/perltoc.pod +++ b/pod/perltoc.pod @@ -898,7 +898,7 @@ CGI script to do bad things? =item $PERL5OPT environment variable -=item Limitations on B<-M>, and C<-m>, and B<-T> options +=item Limitations on B<-M>, B<-m>, and B<-T> options =item More precise warnings @@ -916,6 +916,9 @@ CGI script to do bad things? =item Changes to tainting checks +No glob() or <*>, No spawning if tainted $CDPATH, $ENV, $BASH_ENV, No +spawning if tainted $TERM doesn't look like a terminal name + =item New Opcode module and revised Safe module =item Embedding improvements @@ -940,7 +943,7 @@ $^E, $^H, $^M delete on slices, flock, printf and sprintf, keys as an lvalue, my() in Control Structures, pack() and unpack(), sysseek(), use VERSION, use Module -VERSION LIST, prototype(FUNCTION), srand, $_ as Default, C<m//g> does not +VERSION LIST, prototype(FUNCTION), srand, $_ as Default, C<m//gc> does not reset search position on failure, C<m//x> ignores whitespace before ?*+{}, nested C<sub{}> closures work now, formats work right on changing lexicals @@ -1027,8 +1030,8 @@ manipulating hashes =item Documentation Changes -L<perldelta>, L<perllocale>, L<perltoot>, L<perlapio>, L<perldebug>, -L<perlsec> +L<perldelta>, L<perlfaq>, L<perllocale>, L<perltoot>, L<perlapio>, +L<perlmodlib>, L<perldebug>, L<perlsec> =item New Diagnostics @@ -1941,7 +1944,7 @@ safe subprocesses, sockets, and semaphores) =item Safe Pipe Opens -=item Bidirectional Communication +=item Bidirectional Communication with Another Process =back @@ -1953,13 +1956,29 @@ safe subprocesses, sockets, and semaphores) =item Unix-Domain TCP Clients and Servers -=item UDP: Message Passing +=back + +=item TCP Clients with IO::Socket + +=over + +=item A Simple Client + +C<Proto>, C<PeerAddr>, C<PeerPort> + +=item A Webget Client + +=item Interactive Client with IO::Socket =back -=item SysV IPC +=item TCP Servers with IO::Socket -=item WARNING +Proto, LocalPort, Listen, Reuse + +=item UDP: Message Passing + +=item SysV IPC =item NOTES @@ -3005,6 +3024,8 @@ B<-name>, B<-value>, B<-path>, B<-domain>, B<-expires>, B<-secure> document in the HTTP header, 3. Specify the destination for the document in the <FORM> tag +=item LIMITED SUPPORT FOR CASCADING STYLE SHEETS + =item DEBUGGING =over |