Security Advisories (24)

CVE-2011-2728 (2012-12-21)

The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2010-4777 (2014-02-10)

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.

CVE-2010-1158 (2010-04-20)

Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string.

CVE-2009-3626 (2009-10-29)

Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.

CVE-2005-3962 (2005-12-01)

Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.

CVE-2012-5195 (2012-12-18)

Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2011-1487 (2011-04-11)

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

File::Fetch - A generic file fetching mechanism

SYNOPSIS

use File::Fetch;

### build a File::Fetch object ###
my $ff = File::Fetch->new(uri => 'http://some.where.com/dir/a.txt');

### fetch the uri to cwd() ###
my $where = $ff->fetch() or die $ff->error;

### fetch the uri to /tmp ###
my $where = $ff->fetch( to => '/tmp' );

### parsed bits from the uri ###
$ff->uri;
$ff->scheme;
$ff->host;
$ff->path;
$ff->file;

DESCRIPTION

File::Fetch is a generic file fetching mechanism.

It allows you to fetch any file pointed to by a ftp, http, file, or rsync uri by a number of different means.

See the HOW IT WORKS section further down for details.

ACCESSORS

A File::Fetch object has the following accessors

$ff->uri

The uri you passed to the constructor

$ff->scheme

The scheme from the uri (like 'file', 'http', etc)

$ff->host

The hostname in the uri, will be empty for a 'file' scheme.

$ff->path

The path from the uri, will be at least a single '/'.

$ff->file

The name of the remote file. For the local file name, the result of $ff->output_file will be used.

$ff->output_file

The name of the output file. This is the same as $ff->file, but any query parameters are stripped off. For example:

http://example.com/index.html?x=y

would make the output file be index.html rather than index.html?x=y.

METHODS

$ff = File::Fetch->new( uri => 'http://some.where.com/dir/file.txt' );

Parses the uri and creates a corresponding File::Fetch::Item object, that is ready to be fetched and returns it.

Returns false on failure.

$ff->fetch( [to => /my/output/dir/] )

Fetches the file you requested. By default it writes to cwd(), but you can override that by specifying the to argument.

Returns the full path to the downloaded file on success, and false on failure.

$ff->error([BOOL])

Returns the last encountered error as string. Pass it a true value to get the Carp::longmess() output instead.

HOW IT WORKS

File::Fetch is able to fetch a variety of uris, by using several external programs and modules.

Below is a mapping of what utilities will be used in what order for what schemes, if available:

file    => LWP, file
http    => LWP, wget, curl, lynx
ftp     => LWP, Net::FTP, wget, curl, ncftp, ftp
rsync   => rsync

If you'd like to disable the use of one or more of these utilities and/or modules, see the $BLACKLIST variable further down.

If a utility or module isn't available, it will be marked in a cache (see the $METHOD_FAIL variable further down), so it will not be tried again. The fetch method will only fail when all options are exhausted, and it was not able to retrieve the file.

A special note about fetching files from an ftp uri:

By default, all ftp connections are done in passive mode. To change that, see the $FTP_PASSIVE variable further down.

Furthermore, ftp uris only support anonymous connections, so no named user/password pair can be passed along.

/bin/ftp is blacklisted by default; see the $BLACKLIST variable further down.

GLOBAL VARIABLES

The behaviour of File::Fetch can be altered by changing the following global variables:

$File::Fetch::FROM_EMAIL

This is the email address that will be sent as your anonymous ftp password.

Default is File-Fetch@example.com.

$File::Fetch::USER_AGENT

This is the useragent as LWP will report it.

Default is File::Fetch/$VERSION.

$File::Fetch::FTP_PASSIVE

This variable controls whether the environment variable FTP_PASSIVE and any passive switches to commandline tools will be set to true.

Default value is 1.

Note: When $FTP_PASSIVE is true, ncftp will not be used to fetch files, since passive mode can only be set interactively for this binary

$File::Fetch::TIMEOUT

When set, controls the network timeout (counted in seconds).

Default value is 0.

$File::Fetch::WARN

This variable controls whether errors encountered internally by File::Fetch should be carp'd or not.

Set to false to silence warnings. Inspect the output of the error() method manually to see what went wrong.

Defaults to true.

$File::Fetch::DEBUG

This enables debugging output when calling commandline utilities to fetch files. This also enables Carp::longmess errors, instead of the regular carp errors.

Good for tracking down why things don't work with your particular setup.

Default is 0.

$File::Fetch::BLACKLIST

This is an array ref holding blacklisted modules/utilities for fetching files with.

To disallow the use of, for example, LWP and Net::FTP, you could set $File::Fetch::BLACKLIST to:

$File::Fetch::BLACKLIST = [qw|lwp netftp|]

The default blacklist is [qw|ftp|], as /bin/ftp is rather unreliable.

See the note on MAPPING below.

$File::Fetch::METHOD_FAIL

This is a hashref registering what modules/utilities were known to fail for fetching files (mostly because they weren't installed).

You can reset this cache by assigning an empty hashref to it, or individually remove keys.

See the note on MAPPING below.

MAPPING

Here's a quick mapping for the utilities/modules, and their names for the $BLACKLIST, $METHOD_FAIL and other internal functions.

LWP         => lwp
Net::FTP    => netftp
wget        => wget
lynx        => lynx
ncftp       => ncftp
ftp         => ftp
curl        => curl
rsync       => rsync

FREQUENTLY ASKED QUESTIONS

So how do I use a proxy with File::Fetch?

File::Fetch currently only supports proxies with LWP::UserAgent. You will need to set your environment variables accordingly. For example, to use an ftp proxy:

$ENV{ftp_proxy} = 'foo.com';

Refer to the LWP::UserAgent manpage for more details.

I used 'lynx' to fetch a file, but its contents is all wrong!

lynx can only fetch remote files by dumping its contents to STDOUT, which we in turn capture. If that content is a 'custom' error file (like, say, a 404 handler), you will get that contents instead.

Sadly, lynx doesn't support any options to return a different exit code on non-200 OK status, giving us no way to tell the difference between a 'successfull' fetch and a custom error page.

Therefor, we recommend to only use lynx as a last resort. This is why it is at the back of our list of methods to try as well.

Files I'm trying to fetch have reserved characters or non-ASCII characters in them. What do I do?

File::Fetch is relatively smart about things. When trying to write a file to disk, it removes the query parameters (see the output_file method for details) from the file name before creating it. In most cases this suffices.

If you have any other characters you need to escape, please install the URI::Escape module from CPAN, and pre-encode your URI before passing it to File::Fetch. You can read about the details of URIs and URI encoding here:

http://www.faqs.org/rfcs/rfc2396.html

TODO

Implement $PREFER_BIN: To indicate to rather use commandline tools than modules

AUTHORS

This module by Jos Boumans <kane@cpan.org>.

COPYRIGHT

This library is free software; you may redistribute and/or modify it under the same terms as Perl itself.

1 POD Error

The following errors were encountered while parsing the POD:

Around line 1056:: You forgot a '=back' before '=head1'

To install mro, copy and paste the appropriate command in to your terminal.

cpanm

cpanm mro

CPAN shell

perl -MCPAN -e shell
install mro

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)