/ 
perl-5.9.3
/ lib/Test/Harness/bin/prove
Security Advisories (24)
CVE-2011-2728 (2012-12-21)

The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2010-4777 (2014-02-10)

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.

CVE-2010-1158 (2010-04-20)

Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string.

CVE-2009-3626 (2009-10-29)

Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.

CVE-2005-3962 (2005-12-01)

Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.

CVE-2012-5195 (2012-12-18)

Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2011-1487 (2011-04-11)

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

prove -- A command-line tool for running tests against Test::Harness

SYNOPSIS

prove [options] [files/directories]

Options:

-b, --blib      Adds blib/lib to the path for your tests, a la "use blib".
-d, --debug     Includes extra debugging information.
-D, --dry       Dry run: Show the tests to run, but don't run them.
    --ext=x     Extensions (defaults to .t)
-h, --help      Display this help
-H, --man       Longer manpage for prove
-I              Add libraries to @INC, as Perl's -I
-l, --lib       Add lib to the path for your tests.
-r, --recurse   Recursively descend into directories.
-s, --shuffle   Run the tests in a random order.
-T              Enable tainting checks
-t              Enable tainting warnings
    --timer     Print elapsed time after each test file
-v, --verbose   Display standard output of test scripts while running them.
-V, --version   Display version info

Single-character options may be stacked. Default options may be set by specifying the PROVE_SWITCHES environment variable.

OVERVIEW

prove is a command-line interface to the test-running functionality of Test::Harness. With no arguments, it will run all tests in the current directory.

Shell metacharacters may be used with command lines options and will be exanded via glob.

PROVE VS. "MAKE TEST"

prove has a number of advantages over make test when doing development.

  • prove is designed as a development tool

    Perl users typically run the test harness through a makefile via make test. That's fine for module distributions, but it's suboptimal for a test/code/debug development cycle.

  • prove is granular

    prove lets your run against only the files you want to check. Running prove t/live/ t/master.t checks every *.t in t/live, plus t/master.t.

  • prove has an easy verbose mode

    prove has a -v option to see the raw output from the tests. To do this with make test, you must set HARNESS_VERBOSE=1 in the environment.

  • prove can run under taint mode

    prove's -T runs your tests under perl -T, and -t runs them under perl -t.

  • prove can shuffle tests

    You can use prove's --shuffle option to try to excite problems that don't show up when tests are run in the same order every time.

  • prove doesn't rely on a make tool

    Not everyone wants to write a makefile, or use ExtUtils::MakeMaker to do so. prove has no external dependencies.

  • Not everything is a module

    More and more users are using Perl's testing tools outside the context of a module distribution, and may not even use a makefile at all.

COMMAND LINE OPTIONS

-b, --blib

Adds blib/lib to the path for your tests, a la "use blib".

-d, --debug

Include debug information about how prove is being run. This option doesn't show the output from the test scripts. That's handled by -v,--verbose.

-D, --dry

Dry run: Show the tests to run, but don't run them.

--ext=extension

Specify extensions of the test files to run. By default, these are .t, but you may have other non-.t test files, most likely .sh shell scripts. The --ext is repeatable.

-I

Add libraries to @INC, as Perl's -I.

-l, --lib

Add lib to @INC. Equivalent to -Ilib.

-r, --recurse

Descends into subdirectories of any directories specified, looking for tests.

-s, --shuffle

Sometimes tests are accidentally dependent on tests that have been run before. This switch will shuffle the tests to be run prior to running them, thus ensuring that hidden dependencies in the test order are likely to be revealed. The author hopes the run the algorithm on the preceding sentence to see if he can produce something slightly less awkward.

-t

Runs test programs under perl's -t taint warning mode.

-T

Runs test programs under perl's -T taint mode.

--timer

Print elapsed time after each test file

-v, --verbose

Display standard output of test scripts while running them. Also sets TEST_VERBOSE in case your tests rely on them.

-V, --version

Display version info.

BUGS

Please use the CPAN bug ticketing system at http://rt.cpan.org/. You can also mail bugs, fixes and enhancements to <bug-test-harness@rt.cpan.org>.

TODO

  • Shuffled tests must be recreatable

AUTHORS

Andy Lester <andy@petdance.com>

COPYRIGHT

Copyright 2005 by Andy Lester <andy@petdance.com>.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

See http://www.perl.com/perl/misc/Artistic.html.