=encoding utf8
=for comment
-This has been completed up to e08f19f5d07, except for
-e032854 khw [perl #32080] is_utf8_string() reads too far
-b0f2e9e nwclark Fix two bugs related to pod files outside of pod/ (important enough?)
+This has been completed up to 5e5a1632, except for
+b0f2e9e nwclark Fix two bugs related to pod files outside of pod/ (important enough?)
+4b476da craigb Skip Perl_my_symlink on old VMS systems
+9b9f19d craigb Another vms bug
+c29067d Carl Hayter Make sitecustomize relocatableinc aware
+fc81b71 nwclark Avoid attacks on sitecustomize by using NUL delimiters
+bdba49a shlomif perl -d bugfixes and tests
=head1 NAME
vulnerabilities closed should be noted here rather than in the
L</Selected Bug Fixes> section.
-[ List each security issue as a =head2 entry ]
+=head2 C<is_utf8_char()>
+
+The XS-callable function C<is_utf8_char()> when presented with malformed
+UTF-8 input can read up to 12 bytes beyond the end of the string. This
+cannot be fixed without changing its API. It is not called from CPAN.
+The documentation for it now describes how to use it safely.
+
+=head2 Other C<is_utf8_foo()> functions, as well as C<utf8_to_foo()>, etc.
+
+Most of the other XS-callable functions that take UTF-8 encoded input
+implicitly assume that the UTF-8 is valid (not malformed) in regards to
+buffer length. Do not do things such as change a character's case or
+see if it is alphanumeric without first being sure that it is valid
+UTF-8. This can be safely done for a whole string by using one of the
+functions C<is_utf8_string()>, C<is_utf8_string_loc()>, and
+C<is_utf8_string_loclen()>.
=head1 Incompatible Changes
[ List each incompatible change as a =head2 entry ]
+=head2 C<use I<VERSION>>
+
+As of this release, version declarations like C<use v5.16> now disable all
+features before enabling the new feature bundle. This means that the
+following holds true:
+
+ use 5.016;
+ # 5.16 features enabled here
+ use 5.014;
+ # 5.16 features disabled here
+
+C<use v5.12> and higher continue to enable strict, but explicit
+C<use strict> and C<no strict> now override the version declaration, even
+when they come first:
+
+ no strict;
+ use 5.012;
+ # no strict here
+
+There is a new ":default" feature bundle, that represents the set of
+features enabled before any version declaration or C<use feature> has been
+seen. Version declarations below 5.10 now enable the ":default" feature
+set. This does not actually change the behaviour of C<use v5.8>, because
+features added to the ":default" set are those that were traditionally
+enabled by default, before they could be turned off.
+
+C<$[> is now disabled under C<use v5.16>. It is part of the default
+feature set and can be turned on or off explicitly
+with C<use feature 'array_base'>.
+
=head2 C<substr> lvalue revamp
When C<substr> is called in lvalue or potential lvalue context with two or
the behaviour of negative offsets was never specified, so the change was
deemed acceptable.
+=head2 Return value of C<eval>
+
+C<eval> returns C<undef> in scalar context or an empty list in list context
+when there is a run-time error. For syntax errors (when C<eval> is passed
+a string), in list context it used to return a list containing a single
+undefined element. Now it returns an empty list in list context for all
+errors [perl #80630].
+
=head2 XS API tweak
The C<newCONSTSUB_flags> C-level function, added in 5.15.4, now has a
=item *
-L<B::Deparse> has been upgraded from version 1.09 to 1.10.
+L<B::Deparse> has been upgraded from version 1.09 to version 1.10.
+
+Various constructs that used to be deparsed incorrectly have been fixed:
+
+=over
+
+=item C<sort(foo(bar))>
+
+C<sort foo(bar)>, how it used to deparse, makes foo the sort routine,
+rather than a regular function call.
+
+=item Keys and values in C<%^H>
-C<sort(foo(bar))> is now deparsed correctly. (C<sort foo(bar)>, how it used
-to deparse, makes foo the sort routine, rather than a regular function
-call.)
+Undefined values in the hint hash were being deparsed as empty strings.
+Whenever the hint hash changed, all undefined values, even those
+unmodified, were being printed.
+
+Special characters, such as quotation marks, were not being escaped
+properly.
+
+Some values used to be omitted if, for instance, a key was the same as a
+previous value and vice versa.
+
+=item "method BLOCK" syntax
+
+C<method { $expr }> used to be deparsed as something like
+C<< do{ $expr }->method >>, but the latter puts the $expr in scalar
+context, whereas the former puts in list context.
+
+=item C<do +{}> and C<do({})>
+
+These are both variants of do-file syntax, but were being deparsed as
+do-blocks.
+
+=item Keywords that do not follow the llafr
+
+Keywords like C<return> and C<last> that do not follow the
+looks-like-a-function rule are now deparsed correctly with parentheses in
+the right place.
+
+=item C<=~>
+
+In various cases, B::Deparse started adding a spurious C<$_ =~> before the
+right-hand side in Perl 5.14; e.g., C<< "" =~ <$a> >> would become
+C<< "" =~ ($_ =~ <$a>) >>.
+
+=back
=item *
=item *
+L<CPAN::Meta::YAML> has been upgraded from version 0.004 to version 0.005.
+
+=item *
+
L<CPANPLUS> has been upgraded from version 0.9112 to version 0.9113.
=item *
-L<Data::Dumper> has been upgraded from version 2.134 to 2.135.
+L<Data::Dumper> has been upgraded from version 2.134 to version 2.135.
The XS implementation has been updated to account for the Unicode symbol
changes in Perl 5.15.4. It also knows how to output typeglobs with nulls
=item *
+L<Digest::SHA> has been upgraded from version 5.63 to version 5.70.
+
+Added BITS mode to addfile method and shasum which makes partial-byte inputs
+now possible via files/STDIN and allows shasum to check all 8074 NIST Msg vectors,
+where previously special programming was required to do this.
+
+=item *
+
L<ExtUtils::ParseXS> has been upgraded from version 3.05 to version 3.07.
=item *
=item *
-L<POSIX> has been upgraded from version 1.26 to 1.27.
+L<POSIX> has been upgraded from version 1.26 to version 1.27.
It no longer produces a "Constant subroutine TCSANOW redefined" warning on
Windows.
=item *
+L<Socket> has been upgraded from version 1.94_02 to version 1.96.
+
+=item *
+
+L<threads> has been upgraded from version 1.85 to version 1.86.
+
+=item *
+
L<Unicode::Collate> has been upgraded from version 0.85 to version 0.87.
Tailored compatibility ideographs as well as unified ideographs for
=item *
-L<UNIVERSAL> has been upgraded from version 1.10 to 1.11.
+L<UNIVERSAL> has been upgraded from version 1.10 to version 1.11.
Documentation change clarifies return values from UNIVERSAL::VERSION.
=item *
-XXX
+Changing the case of a UTF-8 encoded string under C<use locale> now
+gives better, but still imperfect, results. Previously, such a string
+would entirely lose locale semantics and silently be treated as Unicode.
+Now, the code points that are less than 256 are treated with locale
+rules, while those above 255 are, of course, treated as Unicode. See
+L<perlfunc/lc> for more details, including the deficiencies of this
+scheme.
=back
However, any changes to F<pod/perldiag.pod> should go in the L</Diagnostics>
section.
-=head3 L<XXX>
+=head3 L<perlsec/Laundering and Detecting Tainted Data>
=over 4
=item *
-XXX Description of the change here
+The example function for checking for taintedness contained a subtle
+error. C<$@> needs to be localized to prevent its changing this
+global's value outside the function. The preferred method to check for
+this, though, remains to use L<Scalar::Util/tainted>.
=back
=item *
+RT #78266: The regex engine has been leaking memory when accessing
+named captures that weren't matched as part of a regex ever since 5.10
+when they were introduced, e.g. this would consume over a hundred MB
+of memory:
+
+ for (1..10_000_000) {
+ if ("foo" =~ /(foo|(?<capture>bar))?/) {
+ my $capture = $+{capture}
+ }
+ }
+ system "ps -o rss $$"'
+
+=item *
+
A constant subroutine assigned to a glob whose name contains a null will no
longer cause extra globs to pop into existence when the constant is
referenced under its new name.
rely on the 'nomethod' override no longer segfault when the left operand is not
overloaded.
+=item *
+
+Assigning C<__PACKAGE__> or any other shared hash key scalar to a stash
+element no longer causes a double free. Regardless of this change, the
+results of such assignments are still undefined.
+
+=item *
+
+Creating a C<UNIVERSAL::AUTOLOAD> sub no longer stops C<%+>, C<%-> and
+C<%!> from working some of the time [perl #105024].
+
+=item *
+
+Assigning C<__PACKAGE__> or another shared hash key string to a variable no
+longer stops that variable from being tied if it happens to be a PVMG or
+PVLV internally.
+
+=item *
+
+When presented with malformed UTF-8 input, the XS-callable functions
+C<is_utf8_string()>, C<is_utf8_string_loc()>, and
+C<is_utf8_string_loclen()> could read beyond the end of the input
+string by up to 12 bytes. This no longer happens. [perl #32080].
+However, currently, C<is_utf8_char()> still has this defect,
+see L</is_utf8_char()> above.
+
+=item *
+
+Doing a substitution on a tied variable returning a copy-on-write scalar
+used to cause an assertion failure or an "Attempt to free nonexistent
+shared string" warning.
+
+=item *
+
+A change in perl 5.15.4 caused C<caller()> to produce malloc errors and a
+crash with Perl's own malloc, and possibly with other malloc
+implementations, too [perl #104034].
+
+=item *
+
+A bug fix in 5.15.5 could sometimes result in assertion failures under
+debugging builds of perl for certain syntax errors in C<eval>, such as
+C<eval(q|""!=!~//|);>
+
=back
=head1 Known Problems
https://perl5.git.perl.org / perl5.git / blobdiff