/ 
perl-5.17.10
River stage five • 12010 direct dependents • 33600 total dependents
⭐ Starred 2013 GitHub stars
/ Module::Pluggable
Security Advisories (18)
CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

Module::Pluggable - automatically give your module the ability to have plugins

SYNOPSIS

Simple use Module::Pluggable -

package MyClass;
use Module::Pluggable;

and then later ...

use MyClass;
my $mc = MyClass->new();
# returns the names of all plugins installed under MyClass::Plugin::*
my @plugins = $mc->plugins();

EXAMPLE

Why would you want to do this? Say you have something that wants to pass an object to a number of different plugins in turn. For example you may want to extract meta-data from every email you get sent and do something with it. Plugins make sense here because then you can keep adding new meta data parsers and all the logic and docs for each one will be self contained and new handlers are easy to add without changing the core code. For that, you might do something like ...

package Email::Examiner;

use strict;
use Email::Simple;
use Module::Pluggable require => 1;

sub handle_email {
    my $self  = shift;
    my $email = shift;

    foreach my $plugin ($self->plugins) {
        $plugin->examine($email);
    }

    return 1;
}

.. and all the plugins will get a chance in turn to look at it.

This can be trivally extended so that plugins could save the email somewhere and then no other plugin should try and do that. Simply have it so that the examine method returns 1 if it has saved the email somewhere. You might also wnat to be paranoid and check to see if the plugin has an examine method.

foreach my $plugin ($self->plugins) {
    next unless $plugin->can('examine');
    last if     $plugin->examine($email);
}

And so on. The sky's the limit.

DESCRIPTION

Provides a simple but, hopefully, extensible way of having 'plugins' for your module. Obviously this isn't going to be the be all and end all of solutions but it works for me.

Essentially all it does is export a method into your namespace that looks through a search path for .pm files and turn those into class names.

Optionally it instantiates those classes for you.

ADVANCED USAGE

Alternatively, if you don't want to use 'plugins' as the method ...

package MyClass;
use Module::Pluggable sub_name => 'foo';

and then later ...

my @plugins = $mc->foo();

Or if you want to look in another namespace

package MyClass;
use Module::Pluggable search_path => ['Acme::MyClass::Plugin', 'MyClass::Extend'];

or directory

use Module::Pluggable search_dirs => ['mylibs/Foo'];

Or if you want to instantiate each plugin rather than just return the name

package MyClass;
use Module::Pluggable instantiate => 'new';

and then

# whatever is passed to 'plugins' will be passed 
# to 'new' for each plugin 
my @plugins = $mc->plugins(@options);

alternatively you can just require the module without instantiating it

package MyClass;
use Module::Pluggable require => 1;

since requiring automatically searches inner packages, which may not be desirable, you can turn this off

package MyClass;
use Module::Pluggable require => 1, inner => 0;

You can limit the plugins loaded using the except option, either as a string, array ref or regex

package MyClass;
use Module::Pluggable except => 'MyClass::Plugin::Foo';

or

package MyClass;
use Module::Pluggable except => ['MyClass::Plugin::Foo', 'MyClass::Plugin::Bar'];

or

package MyClass;
use Module::Pluggable except => qr/^MyClass::Plugin::(Foo|Bar)$/;

and similarly for only which will only load plugins which match.

Remember you can use the module more than once

package MyClass;
use Module::Pluggable search_path => 'MyClass::Filters' sub_name => 'filters';
use Module::Pluggable search_path => 'MyClass::Plugins' sub_name => 'plugins';

and then later ...

my @filters = $self->filters;
my @plugins = $self->plugins;

PLUGIN SEARCHING

Every time you call 'plugins' the whole search path is walked again. This allows for dynamically loading plugins even at run time. However this can get expensive and so if you don't expect to want to add new plugins at run time you could do

package Foo;
use strict;
use Module::Pluggable sub_name => '_plugins';

our @PLUGINS;
sub plugins { @PLUGINS ||= shift->_plugins }
1;

INNER PACKAGES

If you have, for example, a file lib/Something/Plugin/Foo.pm that contains package definitions for both Something::Plugin::Foo and Something::Plugin::Bar then as long as you either have either the require or instantiate option set then we'll also find Something::Plugin::Bar. Nifty!

OPTIONS

You can pass a hash of options when importing this module.

The options can be ...

sub_name

The name of the subroutine to create in your namespace.

By default this is 'plugins'

search_path

An array ref of namespaces to look in.

search_dirs

An array ref of directorys to look in before @INC.

instantiate

Call this method on the class. In general this will probably be 'new' but it can be whatever you want. Whatever arguments are passed to 'plugins' will be passed to the method.

The default is 'undef' i.e just return the class name.

require

Just require the class, don't instantiate (overrides 'instantiate');

inner

If set to 0 will not search inner packages. If set to 1 will override require.

only

Takes a string, array ref or regex describing the names of the only plugins to return. Whilst this may seem perverse ... well, it is. But it also makes sense. Trust me.

except

Similar to only it takes a description of plugins to exclude from returning. This is slightly less perverse.

package

This is for use by extension modules which build on Module::Pluggable: passing a package option allows you to place the plugin method in a different package other than your own.

file_regex

By default Module::Pluggable only looks for .pm files.

By supplying a new file_regex then you can change this behaviour e.g

file_regex => qr/\.plugin$/

include_editor_junk

By default Module::Pluggable ignores files that look like they were left behind by editors. Currently this means files ending in ~ (~), the extensions .swp or .swo, or files beginning with .#.

Setting include_editor_junk changes Module::Pluggable so it does not ignore any files it finds.

Whether, when searching directories, to follow symlinks.

Defaults to 1 i.e do follow symlinks.

min_depth, max_depth

This will allow you to set what 'depth' of plugin will be allowed.

So, for example, MyClass::Plugin::Foo will have a depth of 3 and MyClass::Plugin::Foo::Bar will have a depth of 4 so to only get the former (i.e MyClass::Plugin::Foo) do

package MyClass;
use Module::Pluggable max_depth => 3;

and to only get the latter (i.e MyClass::Plugin::Foo::Bar)

package MyClass;
use Module::Pluggable min_depth => 4;

TRIGGERS

Various triggers can also be passed in to the options.

If any of these triggers return 0 then the plugin will not be returned.

before_require <plugin>

Gets passed the plugin name.

If 0 is returned then this plugin will not be required either.

on_require_error <plugin> <err>

Gets called when there's an error on requiring the plugin.

Gets passed the plugin name and the error.

The default on_require_error handler is to carp the error and return 0.

on_instantiate_error <plugin> <err>

Gets called when there's an error on instantiating the plugin.

Gets passed the plugin name and the error.

The default on_instantiate_error handler is to carp the error and return 0.

after_require <plugin>

Gets passed the plugin name.

If 0 is returned then this plugin will be required but not returned as a plugin.

METHODs

search_path

The method search_path is exported into you namespace as well. You can call that at any time to change or replace the search_path.

$self->search_path( add => "New::Path" ); # add
$self->search_path( new => "New::Path" ); # replace

BEHAVIOUR UNDER TEST ENVIRONMENT

In order to make testing reliable we exclude anything not from blib if blib.pm is in %INC.

However if the module being tested used another module that itself used Module::Pluggable then the second module would fail. This was fixed by checking to see if the caller had (^|/)blib/ in their filename.

There's an argument that this is the wrong behaviour and that modules should explicitly trigger this behaviour but that particular code has been around for 7 years now and I'm reluctant to change the default behaviour.

You can now (as of version 4.1) force Module::Pluggable to look outside blib in a test environment by doing either

require Module::Pluggable;
$Module::Pluggable::FORCE_SEARCH_ALL_PATHS = 1;
import Module::Pluggable;

or

use Module::Pluggable force_search_all_paths => 1;

FUTURE PLANS

This does everything I need and I can't really think of any other features I want to add. Famous last words of course

Recently tried fixed to find inner packages and to make it 'just work' with PAR but there are still some issues.

However suggestions (and patches) are welcome.

DEVELOPMENT

The master repo for this module is at

https://github.com/simonwistow/Module-Pluggable

AUTHOR

Simon Wistow <simon@thegestalt.org>

COPYING

Copyright, 2006 Simon Wistow

Distributed under the same terms as Perl itself.

BUGS

None known.

SEE ALSO

File::Spec, File::Find, File::Basename, Class::Factory::Util, Module::Pluggable::Ordered