Forbid using tainted formats in printf and sprintf

[perl5.git] / pod / perl595delta.pod

=head1 NAME

perldelta - what is new for perl v5.9.5

=head1 DESCRIPTION

This document describes differences between the 5.9.4 and the 5.9.5
development releases. See L<perl590delta>, L<perl591delta>,
L<perl592delta>, L<perl593delta> and L<perl594delta> for the differences
between 5.8.0 and 5.9.4.

=head1 Incompatible Changes

=head2 Tainting and printf

When perl is run under taint mode, C<printf()> and C<sprintf()> will now
reject any tainted format argument.

=head2 Removal of the bytecode compiler and of perlcc

C<perlcc>, the byteloader and the supporting modules (B::C, B::CC,
B::Bytecode, etc.) are no longer distributed with the perl sources. Those
experimental tools have never worked reliably, and, due to the lack of
volunteers to keep them in line with the perl interpreter developments, it
was decided to remove them instead of shipping a broken version of those.
The last version of those modules can be found with perl 5.9.4.

However the B compiler framework stays supported in the perl core, as with
the more useful modules it has permitted (among others, B::Deparse and
B::Concise).

=head2 Removal of the JPL

The JPL (Java-Perl Linguo) has been removed from the perl sources tarball.

=head1 Core Enhancements

=head2 Regular expressions

=over 4

=item Recursive Patterns

It is now possible to write recursive patterns without using the C<(??{})>
construct. This new way is more efficient, and in many cases easier to
read.

Each capturing parenthesis can now be treated as an independent pattern
that can be entered by using the C<(?PARNO)> syntax (C<PARNO> standing for
"parenthesis number"). For example, the following pattern will match
nested balanced angle brackets:

    /
     ^                      # start of line
     (                      # start capture buffer 1
	<                   #   match an opening angle bracket
	(?:                 #   match one of:
	    (?>             #     don't backtrack over the inside of this group
		[^<>]+      #       one or more non angle brackets
	    )               #     end non backtracking group
	|                   #     ... or ...
	    (?1)            #     recurse to bracket 1 and try it again
	)*                  #   0 or more times.
	>                   #   match a closing angle bracket
     )                      # end capture buffer one
     $                      # end of line
    /x

Note, users experienced with PCRE will find that the Perl implementation
of this feature differs from the PCRE one in that it is possible to
backtrack into a recursed pattern, whereas in PCRE the recursion is
atomic or "possessive" in nature. (Yves Orton)

=item Named Capture Buffers

It is now possible to name capturing parenthesis in a pattern and refer to
the captured contents by name. The naming syntax is C<< (?<NAME>....) >>.
It's possible to backreference to a named buffer with the C<< \k<NAME> >>
syntax. In code, the new magical hash C<%+> can be used to access the
contents of the buffers.

Thus, to replace all doubled chars, one could write

    s/(?<letter>.)\k<letter>/$+{letter}/g

Only buffers with defined contents will be "visible" in the hash, so
it's possible to do something like

    foreach my $name (keys %+) {
        print "content of buffer '$name' is $+{$name}\n";
    }

Users exposed to the .NET regex engine will find that the perl
implementation differs in that the numerical ordering of the buffers
is sequential, and not "unnamed first, then named". Thus in the pattern

   /(A)(?<B>B)(C)(?<D>D)/

$1 will be 'A', $2 will be 'B', $3 will be 'C' and $4 will be 'D' and not
$1 is 'A', $2 is 'C' and $3 is 'B' and $4 is 'D' that a .NET programmer
would expect. This is considered a feature. :-) (Yves Orton)

=item Possessive Quantifiers

Perl now supports the "possessive quantifier" syntax of the "atomic match" 
pattern. Basically a possessive quantifier matches as much as it can and never
gives any back. Thus it can be used to control backtracking. The syntax is 
similar to non-greedy matching, except instead of using a '?' as the modifier
the '+' is used. Thus C<?+>, C<*+>, C<++>, C<{min,max}+> are now legal
quantifiers. (Yves Orton)

=item Backtracking control verbs

The regex engine now supports a number of special purpose backtrack
control verbs: (*COMMIT), (*MARK), (*CUT), (*ERROR), (*FAIL) and
(*ACCEPT). See L<perlre> for their descriptions.

=back

=head2 The C<_> prototype

A new prototype character has been added. C<_> is equivalent to C<$> (it
denotes a scalar), but defaults to C<$_> if the corresponding argument
isn't supplied. Due to the optional nature of the argument, you can only
use it at the end of a prototype, or before a semicolon.

This has a small incompatible consequence: the prototype() function has
been adjusted to return C<_> for some built-ins in appropriate cases (for
example, C<prototype('CORE::rmdir')>). (Rafael Garcia-Suarez)

=head2 UCD 5.0.0

The copy of the Unicode Character Database included in Perl 5.9 has
been updated to version 5.0.0.

=head1 Modules and Pragmas

=head2 New Core Modules

=over 4

=item *

C<Locale::Maketext::Simple>, needed by CPANPLUS, is a simple wrapper around
C<Locale::Maketext::Lexicon>. Note that C<Locale::Maketext::Lexicon> isn't
included in the perl core; the behaviour of C<Locale::Maketext::Simple>
gracefully degrades when the later isn't present.

=item *

C<Params::Check> implements a generic input parsing/checking mechanism. It
is used by CPANPLUS.

=back

=head2 Module changes

=over 4

=item C<base>

The C<base> pragma now warns if a class tries to inherit from itself.

=item C<warnings>

The C<warnings> pragma doesn't load C<Carp> anymore. That means that code
that used C<Carp> routines without having loaded it at compile time might
need to be adjusted; typically, the following (faulty) code won't work
anymore, and will require parentheses to be added after the function name:

    use warnings;
    require Carp;
    Carp::confess "argh";

=back

=head1 Utility Changes

=head1 Documentation

=head1 Performance Enhancements

=head1 Installation and Configuration Improvements

=head2 C++ compatibility

Efforts have been made to make perl and the core XS modules compilable
with various C++ compilers (although the situation is not perfect with
some of the compilers on some of the platforms tested.)

=head2 Ports

Perl has been reported to work on MidnightBSD.

=head1 Selected Bug Fixes

PerlIO::scalar will now prevent writing to read-only scalars.

study() never worked for UTF-8 strings, but could lead to false results.
It's now a no-op on UTF-8 data. (Yves Orton)

=head1 New or Changed Diagnostics

=head1 Changed Internals

The anonymous hash and array constructors now take 1 op in the optree
instead of 3, now that pp_anonhash and pp_anonlist return a reference to
an hash/array when the op is flagged with OPf_SPECIAL (Nicholas Clark).

=head1 Known Problems

=head2 Platform Specific Problems

=head1 Reporting Bugs

If you find what you think is a bug, you might check the articles
recently posted to the comp.lang.perl.misc newsgroup and the perl
bug database at http://rt.perl.org/rt3/ .  There may also be
information at http://www.perl.org/ , the Perl Home Page.

If you believe you have an unreported bug, please run the B<perlbug>
program included with your release.  Be sure to trim your bug down
to a tiny but sufficient test case.  Your bug report, along with the
output of C<perl -V>, will be sent off to perlbug@perl.org to be
analysed by the Perl porting team.

=head1 SEE ALSO

The F<Changes> file for exhaustive details on what changed.

The F<INSTALL> file for how to build Perl.

The F<README> file for general stuff.

The F<Artistic> and F<Copying> files for copyright information.

=cut