=head3 Algorithmic Complexity Attacks on Hashes
-In Perls 5.8.0 and earlier it was easy to create degenerate hashes.
-Processing such hashes would consume large amounts of CPU time,
-enabling a "Denial of Service" attack against Perl. Such hashes may be
-a problem for example for mod_perl sites, sites with Perl CGI scripts
-and web services, that process data originating from external sources.
-
-In Perl 5.8.1 a security feature was introduced to make it harder to
-create such degenerate hashes. A visible side effect of this was that
-the keys(), values(), and each() functions may return the hash elements
-in different order between different runs of Perl even with the same
-data. It also had unintended binary incompatibility issues with
-certain modules compiled against Perl 5.8.0.
-
-In Perl 5.8.2 an improved scheme was introduced. Hashes will return
-elements in the same order as Perl 5.8.0 by default. On a hash by hash
-basis, if pathological data is detected during a hash key insertion,
-then that hash will switch to an alternative random hash seed. As
-adding keys can always dramatically change returned hash element order,
-existing programs will not be affected by this, unless they
-specifically test for pre-recorded hash return order for contrived
-data. (eg the list of keys generated by C<map {"\0"x$_} 0..15> trigger
-randomisation) In effect the new implementation means that 5.8.1 scheme
-is only being used on hashes which are under attack.
-
-One can still revert to the old guaranteed repeatable order (and be
-vulnerable to attack by wily crackers) by setting the environment
-variable PERL_HASH_SEED, see L<perlrun/PERL_HASH_SEED>. Another option
-is to add -DUSE_HASH_SEED_EXPLICIT to the compilation flags (for
-example by using C<Configure -Accflags=-DUSE_HASH_SEED_EXPLICIT>), in
-which case one has to explicitly set the PERL_HASH_SEED environment
-variable to enable the security feature, or by adding -DNO_HASH_SEED to
-the compilation flags to completely disable the randomisation feature.
+Perl 5.18 reworked the measures used to secure its hash function
+from algorithmic complexity attacks. By default it will build with
+all of these measures enabled along with support for controlling and
+disabling them via environment variables.
+
+You can override various aspects of this feature by defining various
+symbols during configure. An example might be:
+
+ Configure -Accflags=-DPERL_HASH_FUNC_SIPHASH
+
+B<Unless stated otherwise these options are considered experimental or
+insecure and are not recommended for production use.>
+
+Perl 5.18 includes support for multiple hash functions, and changed
+the default (to ONE_AT_A_TIME_HARD), you can choose a different
+algorithm by defining one of the following symbols. Note that as of
+Perl 5.18 we can only recommend use of the default or SIPHASH. All
+the others are known to have security issues and are for research
+purposes only.
+
+ PERL_HASH_FUNC_SIPHASH
+ PERL_HASH_FUNC_SDBM
+ PERL_HASH_FUNC_DJB2
+ PERL_HASH_FUNC_SUPERFAST
+ PERL_HASH_FUNC_MURMUR3
+ PERL_HASH_FUNC_ONE_AT_A_TIME
+ PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
+ PERL_HASH_FUNC_ONE_AT_A_TIME_OLD
+
+Perl 5.18 randomizes the order returned by keys(), values(), and each(),
+and allows controlling this behavior by using of the PERL_PERTURB_KEYS
+option. You can disable this option entirely with the define:
+
+ PERL_PERTURB_KEYS_DISABLED
+
+You can disable the environment variable checks and specify the type of
+key traversal randomization to be used by defining one of these:
+
+ PERL_PERTURB_KEYS_RANDOM
+ PERL_PERTURB_KEYS_DETERMINISTIC
+
+In Perl 5.18 the seed used for the hash function is randomly selected
+at process start which can be overridden by specifying a seed by setting
+the PERL_HASH_SEED environment variable.
+
+You can change this behavior by building perl with the
+
+ USE_HASH_SEED_EXPLICIT
+
+define, in which case one has to explicitly set the PERL_HASH_SEED
+environment variable to enable the security feature or by adding
+
+ NO_HASH_SEED
+
+to the compilation flags to completely disable the randomisation feature.
+Note these modes are poorly tested, insecure and not recommended.
B<Perl has never guaranteed any ordering of the hash keys>, and the
ordering has already changed several times during the lifetime of Perl
hashes "unordered". The use of the Data::Dumper C<Sortkeys> option is
recommended.
+See L<perlrun/PERL_HASH_SEED> and L<perlrun/PERL_PERTURB_KEYS> for details on
+the environment variables, and L<perlsec/Algorithmic Complexity Attacks> for
+further security details.
+
=head3 SOCKS
Perl can be configured to be 'socksified', that is, to use the SOCKS
=item Directories for the perl distribution
-By default, Configure will use the following directories for 5.17.9.
+By default, Configure will use the following directories for 5.19.2.
$version is the full perl version number, including subversion, e.g.
5.12.3, and $archname is a string like sun4-sunos,
determined by Configure. The full definitions of all Configure
CPAN) or scripts. Configure will set up the following directories to
be used for installing those add-on modules and scripts.
- Configure variable Default value
- $siteprefixexp $prefixexp
- $sitebinexp $siteprefixexp/bin
- $sitescriptexp $siteprefixexp/bin
- $sitelibexp $siteprefixexp/lib/perl5/site_perl/$version
- $sitearchexp $siteprefixexp/lib/perl5/site_perl/$version/$archname
- $siteman1direxp $siteprefixexp/man/man1
- $siteman3direxp $siteprefixexp/man/man3
- $sitehtml1direxp (none)
- $sitehtml3direxp (none)
+ Configure Default
+ variable value
+ $siteprefixexp $prefixexp
+ $sitebinexp $siteprefixexp/bin
+ $sitescriptexp $siteprefixexp/bin
+ $sitelibexp $siteprefixexp/lib/perl5/site_perl/$version
+ $sitearchexp
+ $siteprefixexp/lib/perl5/site_perl/$version/$archname
+ $siteman1direxp $siteprefixexp/man/man1
+ $siteman3direxp $siteprefixexp/man/man3
+ $sitehtml1direxp (none)
+ $sitehtml3direxp (none)
By default, ExtUtils::MakeMaker will install architecture-independent
modules into $sitelib and architecture-dependent modules into $sitearch.
distribution, Configure can optionally set up the following directories
for you to use to distribute add-on modules.
- Configure variable Default value
- $vendorprefixexp (none)
- (The next ones are set only if vendorprefix is set.)
- $vendorbinexp $vendorprefixexp/bin
- $vendorscriptexp $vendorprefixexp/bin
- $vendorlibexp
- $vendorprefixexp/lib/perl5/vendor_perl/$version
- $vendorarchexp
- $vendorprefixexp/lib/perl5/vendor_perl/$version/$archname
- $vendorman1direxp $vendorprefixexp/man/man1
- $vendorman3direxp $vendorprefixexp/man/man3
- $vendorhtml1direxp (none)
- $vendorhtml3direxp (none)
+ Configure Default
+ variable value
+ $vendorprefixexp (none)
+
+ (The next ones are set only if vendorprefix is set.)
+
+ $vendorbinexp $vendorprefixexp/bin
+ $vendorscriptexp $vendorprefixexp/bin
+ $vendorlibexp $vendorprefixexp/lib/perl5/vendor_perl/$version
+ $vendorarchexp
+ $vendorprefixexp/lib/perl5/vendor_perl/$version/$archname
+ $vendorman1direxp $vendorprefixexp/man/man1
+ $vendorman3direxp $vendorprefixexp/man/man3
+ $vendorhtml1direxp (none)
+ $vendorhtml3direxp (none)
These are normally empty, but may be set as needed. For example,
a vendor might choose the following settings:
- $prefix /usr
- $siteprefix /usr/local
- $vendorprefix /usr
+ $prefix /usr
+ $siteprefix /usr/local
+ $vendorprefix /usr
This would have the effect of setting the following:
- $binexp /usr/bin
- $scriptdirexp /usr/bin
- $privlibexp /usr/lib/perl5/$version
- $archlibexp /usr/lib/perl5/$version/$archname
- $man1direxp /usr/man/man1
- $man3direxp /usr/man/man3
-
- $sitebinexp /usr/local/bin
- $sitescriptexp /usr/local/bin
- $sitelibexp /usr/local/lib/perl5/site_perl/$version
- $sitearchexp /usr/local/lib/perl5/site_perl/$version/$archname
- $siteman1direxp /usr/local/man/man1
- $siteman3direxp /usr/local/man/man3
-
- $vendorbinexp /usr/bin
- $vendorscriptexp /usr/bin
- $vendorlibexp /usr/lib/perl5/vendor_perl/$version
- $vendorarchexp /usr/lib/perl5/vendor_perl/$version/$archname
- $vendorman1direxp /usr/man/man1
- $vendorman3direxp /usr/man/man3
+ $binexp /usr/bin
+ $scriptdirexp /usr/bin
+ $privlibexp /usr/lib/perl5/$version
+ $archlibexp /usr/lib/perl5/$version/$archname
+ $man1direxp /usr/man/man1
+ $man3direxp /usr/man/man3
+
+ $sitebinexp /usr/local/bin
+ $sitescriptexp /usr/local/bin
+ $sitelibexp /usr/local/lib/perl5/site_perl/$version
+ $sitearchexp /usr/local/lib/perl5/site_perl/$version/$archname
+ $siteman1direxp /usr/local/man/man1
+ $siteman3direxp /usr/local/man/man3
+
+ $vendorbinexp /usr/bin
+ $vendorscriptexp /usr/bin
+ $vendorlibexp /usr/lib/perl5/vendor_perl/$version
+ $vendorarchexp /usr/lib/perl5/vendor_perl/$version/$archname
+ $vendorman1direxp /usr/man/man1
+ $vendorman3direxp /usr/man/man3
Note how in this example, the vendor-supplied directories are in the
/usr hierarchy, while the directories reserved for the end user are in
site-specific files that are stored elsewhere on your organization's
network. One way to do that would be something like
- sh Configure -Dsiteprefix=/usr/local -Dvendorprefix=/usr/share/perl
+ sh Configure -Dsiteprefix=/usr/local -Dvendorprefix=/usr/share/perl
=item otherlibdirs
=head2 DTrace support
-On platforms where DTrace is available, it may be enabled by
+On platforms where DTrace is available, it may be enabled by
using the -Dusedtrace option to Configure. DTrace probes are available for
subroutine entry (sub-entry) and subroutine exit (sub-exit). Here's a
simple D script that uses them:
It is possible to specify this from the command line (all on one
line):
- sh Configure -de \
- -Dlocincpth='/usr/local/BerkeleyDB.4.7/include /usr/local/include' \
- -Dloclibpth='/usr/local/BerkeleyDB.4.7/lib /usr/local/lib' \
- -Aldflags='-R/usr/local/BerkeleyDB.4.7/lib'
+ sh Configure -de \
+ -Dlocincpth='/usr/local/BerkeleyDB.4.7/include \
+ /usr/local/include' \
+ -Dloclibpth='/usr/local/BerkeleyDB.4.7/lib /usr/local/lib' \
+ -Aldflags='-R/usr/local/BerkeleyDB.4.7/lib'
locincpth is a space-separated list of include directories to search.
Configure will automatically add the appropriate -I directives.
scripts
- cppstdin This is used by the deprecated switch perl -P, if
- your cc -E can't read from stdin.
- c2ph, pstruct Scripts for handling C structures in header files.
+ cppstdin This is used by the deprecated switch perl -P,
+ if your cc -E can't read from stdin.
+ c2ph, pstruct Scripts for handling C structures in header
+ files.
config_data Manage Module::Build-like module configuration.
- corelist Shows versions of modules that come with different
+ corelist Shows versions of modules that come with
+ different
versions of perl.
cpan The CPAN shell.
- cpan2dist The CPANPLUS distribution creator.
- cpanp The CPANPLUS shell.
- cpanp-run-perl A helper for cpanp.
enc2xs Encoding module generator.
find2perl find-to-perl translator.
- h2ph Extract constants and simple macros from C headers.
+ h2ph Extract constants and simple macros from C
+ headers.
h2xs Converts C .h header files to Perl extensions.
instmodsh A shell to examine installed modules.
libnetcfg Configure libnet.
utility iconv.
pl2pm Convert Perl 4 .pl files to Perl 5 .pm modules.
pod2html, Converters from perl's pod documentation format
- pod2latex, to other useful formats.
pod2man,
pod2text,
pod2usage
shasum A tool to print or check SHA checksums.
splain Describe Perl warnings and errors.
xsubpp Compiler to convert Perl XS code into C code.
- zipdetails display the internal structure of zip files
+ zipdetails display the internal structure of zip files
library files
=head1 Coexistence with earlier versions of perl 5
-Perl 5.17.9 is not binary compatible with earlier versions of Perl.
+Perl 5.19.2 is not binary compatible with earlier versions of Perl.
In other words, you will have to recompile your XS modules.
In general, you can usually safely upgrade from one version of Perl (e.g.
libraries after 5.6.0, but not for executables. TODO?) One convenient
way to do this is by using a separate prefix for each version, such as
- sh Configure -Dprefix=/opt/perl5.17.9
+ sh Configure -Dprefix=/opt/perl5.19.2
-and adding /opt/perl5.17.9/bin to the shell PATH variable. Such users
+and adding /opt/perl5.19.2/bin to the shell PATH variable. Such users
may also wish to add a symbolic link /usr/local/bin/perl so that
scripts can still start with #!/usr/local/bin/perl.
subversions may not have all the compatibility wrinkles ironed out
yet.
-=head2 Upgrading from 5.17.8 or earlier
+=head2 Upgrading from 5.19.0 or earlier
-B<Perl 5.17.9 may not be binary compatible with Perl 5.17.8 or
+B<Perl 5.19.2 may not be binary compatible with Perl 5.19.0 or
earlier Perl releases.> Perl modules having binary parts
(meaning that a C compiler is used) will have to be recompiled to be
-used with 5.17.9. If you find you do need to rebuild an extension with
-5.17.9, you may safely do so without disturbing the older
+used with 5.19.2. If you find you do need to rebuild an extension with
+5.19.2, you may safely do so without disturbing the older
installations. (See L<"Coexistence with earlier versions of perl 5">
above.)
print("$f\n");
}
-in Linux with perl-5.17.9 is as follows (under $Config{prefix}):
+in Linux with perl-5.19.2 is as follows (under $Config{prefix}):
./bin/perl
- ./lib/perl5/5.17.9/strict.pm
- ./lib/perl5/5.17.9/warnings.pm
- ./lib/perl5/5.17.9/i686-linux/File/Glob.pm
- ./lib/perl5/5.17.9/feature.pm
- ./lib/perl5/5.17.9/XSLoader.pm
- ./lib/perl5/5.17.9/i686-linux/auto/File/Glob/Glob.so
+ ./lib/perl5/5.19.2/strict.pm
+ ./lib/perl5/5.19.2/warnings.pm
+ ./lib/perl5/5.19.2/i686-linux/File/Glob.pm
+ ./lib/perl5/5.19.2/feature.pm
+ ./lib/perl5/5.19.2/XSLoader.pm
+ ./lib/perl5/5.19.2/i686-linux/auto/File/Glob/Glob.so
Secondly, for perl-5.10.1, the Debian perl-base package contains 591 files,
(of which 510 are for lib/unicore) totaling about 3.5MB in its i386 version.
it's a minimal set) and if you want to find out all the files you can
use something like the below
- strace perl -le 'do "x.pl"' 2>&1 | perl -nle '/^open\(\"(.+?)"/ && print $1'
+ strace perl -le 'do "x.pl"' 2>&1 \
+ | perl -nle '/^open\(\"(.+?)"/ && print $1'
(The 'strace' is Linux-specific, other similar utilities include 'truss'
and 'ktrace'.)