/ 
perl-5.11.2
/ perlreref
Security Advisories (22)
CVE-2011-2728 (2012-12-21)

The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2011-0761 (2011-05-13)

Perl 5.10.x allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an ability to inject arguments into a (1) getpeername, (2) readdir, (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir function call.

CVE-2010-4777 (2014-02-10)

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.

CVE-2012-5195 (2012-12-18)

Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2011-1487 (2011-04-11)

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

perlreref - Perl Regular Expressions Reference

DESCRIPTION

This is a quick reference to Perl's regular expressions. For full information see perlre and perlop, as well as the "SEE ALSO" section in this document.

OPERATORS

=~ determines to which variable the regex is applied. In its absence, $_ is used.

$var =~ /foo/;

!~ determines to which variable the regex is applied, and negates the result of the match; it returns false if the match succeeds, and true if it fails.

$var !~ /foo/;

m/pattern/msixpogc searches a string for a pattern match, applying the given options.

m  Multiline mode - ^ and $ match internal lines
s  match as a Single line - . matches \n
i  case-Insensitive
x  eXtended legibility - free whitespace and comments
p  Preserve a copy of the matched string -
   ${^PREMATCH}, ${^MATCH}, ${^POSTMATCH} will be defined.
o  compile pattern Once
g  Global - all occurrences
c  don't reset pos on failed matches when using /g

If 'pattern' is an empty string, the last successfully matched regex is used. Delimiters other than '/' may be used for both this operator and the following ones. The leading m can be omitted if the delimiter is '/'.

qr/pattern/msixpo lets you store a regex in a variable, or pass one around. Modifiers as for m//, and are stored within the regex.

s/pattern/replacement/msixpogce substitutes matches of 'pattern' with 'replacement'. Modifiers as for m//, with one addition:

e  Evaluate 'replacement' as an expression

'e' may be specified multiple times. 'replacement' is interpreted as a double quoted string unless a single-quote (') is the delimiter.

?pattern? is like m/pattern/ but matches only once. No alternate delimiters can be used. Must be reset with reset().

SYNTAX

\       Escapes the character immediately following it
.       Matches any single character except a newline (unless /s is used)
^       Matches at the beginning of the string (or line, if /m is used)
$       Matches at the end of the string (or line, if /m is used)
*       Matches the preceding element 0 or more times
+       Matches the preceding element 1 or more times
?       Matches the preceding element 0 or 1 times
{...}   Specifies a range of occurrences for the element preceding it
[...]   Matches any one of the characters contained within the brackets
(...)   Groups subexpressions for capturing to $1, $2...
(?:...) Groups subexpressions without capturing (cluster)
|       Matches either the subexpression preceding or following it
\1, \2, \3 ...           Matches the text from the Nth group
\g1 or \g{1}, \g2 ...    Matches the text from the Nth group
\g-1 or \g{-1}, \g-2 ... Matches the text from the Nth previous group
\g{name}     Named backreference
\k<name>     Named backreference
\k'name'     Named backreference
(?P=name)    Named backreference (python syntax)

ESCAPE SEQUENCES

These work as in normal strings.

\a       Alarm (beep)
\e       Escape
\f       Formfeed
\n       Newline
\r       Carriage return
\t       Tab
\037     Any octal ASCII value
\x7f     Any hexadecimal ASCII value
\x{263a} A wide hexadecimal value
\cx      Control-x
\N{name} A named character

\l  Lowercase next character
\u  Titlecase next character
\L  Lowercase until \E
\U  Uppercase until \E
\Q  Disable pattern metacharacters until \E
\E  End modification

For Titlecase, see "Titlecase".

This one works differently from normal strings:

\b  An assertion, not backspace, except in a character class

CHARACTER CLASSES

[amy]    Match 'a', 'm' or 'y'
[f-j]    Dash specifies "range"
[f-j-]   Dash escaped or at start or end means 'dash'
[^f-j]   Caret indicates "match any character _except_ these"

The following sequences work within or without a character class. The first six are locale aware, all are Unicode aware. See perllocale and perlunicode for details.

\d      A digit
\D      A nondigit
\w      A word character
\W      A non-word character
\s      A whitespace character
\S      A non-whitespace character
\h      An horizontal white space
\H      A non horizontal white space
\N      A non newline (like . without /s)
\v      A vertical white space
\V      A non vertical white space
\R      A generic newline           (?>\v|\x0D\x0A)

\C      Match a byte (with Unicode, '.' matches a character)
\pP     Match P-named (Unicode) property
\p{...} Match Unicode property with long name
\PP     Match non-P
\P{...} Match lack of Unicode property with long name
\X      Match extended Unicode combining character sequence

POSIX character classes and their Unicode and Perl equivalents:

alnum   IsAlnum              Alphanumeric
alpha   IsAlpha              Alphabetic
ascii   IsASCII              Any ASCII char
blank   IsSpace  [ \t]       Horizontal whitespace (GNU extension)
cntrl   IsCntrl              Control characters
digit   IsDigit  \d          Digits
graph   IsGraph              Alphanumeric and punctuation
lower   IsLower              Lowercase chars (locale and Unicode aware)
print   IsPrint              Alphanumeric, punct, and space
punct   IsPunct              Punctuation
space   IsSpace  [\s\ck]     Whitespace
        IsSpacePerl   \s     Perl's whitespace definition
upper   IsUpper              Uppercase chars (locale and Unicode aware)
word    IsWord   \w          Alphanumeric plus _ (Perl extension)
xdigit  IsXDigit [0-9A-Fa-f] Hexadecimal digit

Within a character class:

POSIX       traditional   Unicode
[:digit:]       \d        \p{IsDigit}
[:^digit:]      \D        \P{IsDigit}

ANCHORS

All are zero-width assertions.

^  Match string start (or line, if /m is used)
$  Match string end (or line, if /m is used) or before newline
\b Match word boundary (between \w and \W)
\B Match except at word boundary (between \w and \w or \W and \W)
\A Match string start (regardless of /m)
\Z Match string end (before optional newline)
\z Match absolute string end
\G Match where previous m//g left off

\K Keep the stuff left of the \K, don't include it in $&

QUANTIFIERS

Quantifiers are greedy by default -- match the longest leftmost.

Maximal Minimal Possessive Allowed range
------- ------- ---------- -------------
{n,m}   {n,m}?  {n,m}+     Must occur at least n times
                           but no more than m times
{n,}    {n,}?   {n,}+      Must occur at least n times
{n}     {n}?    {n}+       Must occur exactly n times
*       *?      *+         0 or more times (same as {0,})
+       +?      ++         1 or more times (same as {1,})
?       ??      ?+         0 or 1 time (same as {0,1})

The possessive forms (new in Perl 5.10) prevent backtracking: what gets matched by a pattern with a possessive quantifier will not be backtracked into, even if that causes the whole match to fail.

There is no quantifier {,n} -- that gets understood as a literal string.

EXTENDED CONSTRUCTS

(?#text)          A comment
(?:...)           Groups subexpressions without capturing (cluster)
(?pimsx-imsx:...) Enable/disable option (as per m// modifiers)
(?=...)           Zero-width positive lookahead assertion
(?!...)           Zero-width negative lookahead assertion
(?<=...)          Zero-width positive lookbehind assertion
(?<!...)          Zero-width negative lookbehind assertion
(?>...)           Grab what we can, prohibit backtracking
(?|...)           Branch reset
(?<name>...)      Named capture
(?'name'...)      Named capture
(?P<name>...)     Named capture (python syntax)
(?{ code })       Embedded code, return value becomes $^R
(??{ code })      Dynamic regex, return value used as regex
(?N)              Recurse into subpattern number N
(?-N), (?+N)      Recurse into Nth previous/next subpattern
(?R), (?0)        Recurse at the beginning of the whole pattern
(?&name)          Recurse into a named subpattern
(?P>name)         Recurse into a named subpattern (python syntax)
(?(cond)yes|no)
(?(cond)yes)      Conditional expression, where "cond" can be:
                  (N)       subpattern N has matched something
                  (<name>)  named subpattern has matched something
                  ('name')  named subpattern has matched something
                  (?{code}) code condition
                  (R)       true if recursing
                  (RN)      true if recursing into Nth subpattern
                  (R&name)  true if recursing into named subpattern
                  (DEFINE)  always false, no no-pattern allowed

VARIABLES

$_    Default variable for operators to use

$`    Everything prior to matched string
$&    Entire matched string
$'    Everything after to matched string

${^PREMATCH}   Everything prior to matched string
${^MATCH}      Entire matched string
${^POSTMATCH}  Everything after to matched string

The use of $`, $& or $' will slow down all regex use within your program. Consult perlvar for @- to see equivalent expressions that won't cause slow down. See also Devel::SawAmpersand. Starting with Perl 5.10, you can also use the equivalent variables ${^PREMATCH}, ${^MATCH} and ${^POSTMATCH}, but for them to be defined, you have to specify the /p (preserve) modifier on your regular expression.

$1, $2 ...  hold the Xth captured expr
$+    Last parenthesized pattern match
$^N   Holds the most recently closed capture
$^R   Holds the result of the last (?{...}) expr
@-    Offsets of starts of groups. $-[0] holds start of whole match
@+    Offsets of ends of groups. $+[0] holds end of whole match
%+    Named capture buffers
%-    Named capture buffers, as array refs

Captured groups are numbered according to their opening paren.

FUNCTIONS

lc          Lowercase a string
lcfirst     Lowercase first char of a string
uc          Uppercase a string
ucfirst     Titlecase first char of a string

pos         Return or set current match position
quotemeta   Quote metacharacters
reset       Reset ?pattern? status
study       Analyze string for optimizing matching

split       Use a regex to split a string into parts

The first four of these are like the escape sequences \L, \l, \U, and \u. For Titlecase, see "Titlecase".

TERMINOLOGY

Titlecase

Unicode concept which most often is equal to uppercase, but for certain characters like the German "sharp s" there is a difference.

AUTHOR

Iain Truskett. Updated by the Perl 5 Porters.

This document may be distributed under the same terms as Perl itself.

SEE ALSO

THANKS

David P.C. Wollmann, Richard Soderberg, Sean M. Burke, Tom Christiansen, Jim Cromie, and Jeffrey Goff for useful advice.