diff --git a/dev/import-perl5/config.yaml b/dev/import-perl5/config.yaml index 0180aa4cb..662eeace9 100644 --- a/dev/import-perl5/config.yaml +++ b/dev/import-perl5/config.yaml @@ -588,6 +588,7 @@ imports: # From core distribution (has built-in pure Perl fallback when XS unavailable) - source: perl5/dist/Data-Dumper/Dumper.pm target: src/main/perl/lib/Data/Dumper.pm + patch: Data-Dumper.pm.patch # Tests for distribution - source: perl5/dist/Data-Dumper/t diff --git a/dev/import-perl5/patches/Data-Dumper.pm.patch b/dev/import-perl5/patches/Data-Dumper.pm.patch new file mode 100644 index 000000000..b23e64794 --- /dev/null +++ b/dev/import-perl5/patches/Data-Dumper.pm.patch @@ -0,0 +1,13 @@ +--- perl5/dist/Data-Dumper/Dumper.pm ++++ src/main/perl/lib/Data/Dumper.pm +@@ -580,6 +580,10 @@ + $out .= sprintf "v%vd", $val; + } + # \d here would treat "1\x{660}" as a safe decimal number ++ elsif (defined &Data::Dumper::_perlonjava_numified_safe_decimal ++ and Data::Dumper::_perlonjava_numified_safe_decimal($val)) { ++ $out .= $val; ++ } + elsif ($val =~ /^(?:0|-?[1-9][0-9]{0,8})\z/) { # safe decimal number + $out .= $val; + } diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 9156544f3..b61ad8a6e 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -1,21 +1,21 @@ [versions] -asm = "9.9.1" -bouncycastle = "1.78.1" +asm = "9.10.1" +bouncycastle = "1.84" +commons-compress = "1.28.0" commons-csv = "1.14.1" -commons-compress = "1.27.1" icu4j = "78.3" -junit-jupiter = "6.1.0-M1" +junit-jupiter = "6.1.1" snakeyaml-engine = "3.0.1" -sqlite-jdbc = "3.51.3.0" +sqlite-jdbc = "3.53.2.0" tomlj = "1.1.1" [libraries] asm = { module = "org.ow2.asm:asm", version.ref = "asm" } asm-util = { module = "org.ow2.asm:asm-util", version.ref = "asm" } -bcprov = { module = "org.bouncycastle:bcprov-jdk18on", version.ref = "bouncycastle" } bcpkix = { module = "org.bouncycastle:bcpkix-jdk18on", version.ref = "bouncycastle" } -commons-csv = { module = "org.apache.commons:commons-csv", version.ref = "commons-csv" } +bcprov = { module = "org.bouncycastle:bcprov-jdk18on", version.ref = "bouncycastle" } commons-compress = { module = "org.apache.commons:commons-compress", version.ref = "commons-compress" } +commons-csv = { module = "org.apache.commons:commons-csv", version.ref = "commons-csv" } icu4j = { module = "com.ibm.icu:icu4j", version.ref = "icu4j" } junit-jupiter-api = { module = "org.junit.jupiter:junit-jupiter-api", version.ref = "junit-jupiter" } junit-jupiter-engine = { module = "org.junit.jupiter:junit-jupiter-engine", version.ref = "junit-jupiter" } diff --git a/pom.xml b/pom.xml index 50cf4c442..a7615aede 100644 --- a/pom.xml +++ b/pom.xml @@ -20,29 +20,29 @@ org.ow2.asm asm - 9.9.1 + 9.10.1 org.ow2.asm asm-util - 9.9.1 + 9.10.1 org.junit.jupiter junit-jupiter-api - 6.1.0-M1 + 6.1.1 test org.junit.jupiter junit-jupiter-engine - 6.1.0-M1 + 6.1.1 test org.junit.jupiter junit-jupiter-params - 6.1.0-M1 + 6.1.1 test @@ -68,27 +68,27 @@ org.apache.commons commons-compress - 1.27.1 + 1.28.0 org.xerial sqlite-jdbc - 3.51.3.0 + 3.53.2.0 org.bouncycastle bcprov-jdk18on - 1.78.1 + 1.84 org.bouncycastle bcpkix-jdk18on - 1.78.1 + 1.84 io.netty netty-codec-http - 4.1.115.Final + 4.2.16.Final diff --git a/src/main/perl/lib/Archive/Tar.pm b/src/main/perl/lib/Archive/Tar.pm index 38e93712c..4b955b1d5 100644 --- a/src/main/perl/lib/Archive/Tar.pm +++ b/src/main/perl/lib/Archive/Tar.pm @@ -24,7 +24,7 @@ use strict; use vars qw[$DEBUG $error $VERSION $WARN $FOLLOW_SYMLINK $CHOWN $CHMOD $DO_NOT_USE_PREFIX $HAS_PERLIO $HAS_IO_STRING $SAME_PERMISSIONS $INSECURE_EXTRACT_MODE $ZERO_PAD_NUMBERS @ISA @EXPORT $RESOLVE_SYMLINK - $EXTRACT_BLOCK_SIZE + $EXTRACT_BLOCK_SIZE $EXTRACT_HARDLINK $MAX_FILE_SIZE ]; @ISA = qw[Exporter]; @@ -32,7 +32,7 @@ use vars qw[$DEBUG $error $VERSION $WARN $FOLLOW_SYMLINK $CHOWN $CHMOD $DEBUG = 0; $WARN = 1; $FOLLOW_SYMLINK = 0; -$VERSION = "3.04"; +$VERSION = "3.12"; $CHOWN = 1; $CHMOD = 1; $SAME_PERMISSIONS = $> == 0 ? 1 : 0; @@ -41,6 +41,8 @@ $INSECURE_EXTRACT_MODE = 0; $ZERO_PAD_NUMBERS = 0; $RESOLVE_SYMLINK = $ENV{'PERL5_AT_RESOLVE_SYMLINK'} || 'speed'; $EXTRACT_BLOCK_SIZE = 1024 * 1024 * 1024; +$EXTRACT_HARDLINK = 0; +$MAX_FILE_SIZE = 1024 * 1024 * 1024; BEGIN { use Config; @@ -444,6 +446,14 @@ sub _read_tar { my $block = BLOCK_SIZE->( $entry->size ); + if ( $MAX_FILE_SIZE && $entry->size > $MAX_FILE_SIZE ) { + $self->_error( qq[Entry '] . $entry->full_path . + qq[' declared size ] . $entry->size . + qq[ bytes exceeds \$Archive::Tar::MAX_FILE_SIZE ] . + qq[($MAX_FILE_SIZE); refusing to allocate] ); + next LOOP; + } + $data = $entry->get_content_by_ref; my $skip = 0; @@ -922,19 +932,19 @@ sub _extract_file { ### only update the timestamp if it's not a symlink; that will change the ### timestamp of the original. This addresses bug #33669: Could not update ### timestamp warning on symlinks - if( not -l $full ) { + if( not -l $full and not ( $entry->is_hardlink and ON_UNIX and $EXTRACT_HARDLINK ) ) { utime time, $entry->mtime - TIME_OFFSET, $full or $self->_error( qq[Could not update timestamp] ); } - if( $CHOWN && CAN_CHOWN->() and not -l $full ) { + if( $CHOWN && CAN_CHOWN->() and not -l $full and not ( $entry->is_hardlink and ON_UNIX and $EXTRACT_HARDLINK ) ) { CORE::chown( $entry->uid, $entry->gid, $full ) or $self->_error( qq[Could not set uid/gid on '$full'] ); } ### only chmod if we're allowed to, but never chmod symlinks, since they'll ### change the perms on the file they're linking too... - if( $CHMOD and not -l $full ) { + if( $CHMOD and not -l $full and not ( $entry->is_hardlink and ON_UNIX and $EXTRACT_HARDLINK ) ) { my $mode = $entry->mode; unless ($SAME_PERMISSIONS) { $mode &= ~(oct(7000) | umask); @@ -954,6 +964,19 @@ sub _make_special_file { my $err; if( $entry->is_symlink ) { + if( !$INSECURE_EXTRACT_MODE ) { + my $linkname = $entry->linkname; + if( File::Spec->file_name_is_absolute($linkname) ) { + $self->_error( qq[Symlink '] . $entry->full_path . + qq[' has absolute target. Not extracting under SECURE EXTRACT MODE] ); + return; + } + if( !defined _symlinks_resolver( $entry->full_path, $linkname, 1 ) ) { + $self->_error( qq[Symlink '] . $entry->full_path . + qq[' target attempts traversal. Not extracting under SECURE EXTRACT MODE] ); + return; + } + } my $fail; if( ON_UNIX ) { symlink( $entry->linkname, $file ) or $fail++; @@ -967,8 +990,25 @@ sub _make_special_file { $entry->linkname .q[' failed] if $fail; } elsif ( $entry->is_hardlink ) { + if( !$INSECURE_EXTRACT_MODE ) { + my $linkname = $entry->linkname; + if( File::Spec->file_name_is_absolute($linkname) ) { + $self->_error( qq[Hardlink '] . $entry->full_path . + qq[' has absolute target '$linkname'. Not extracting ] . + qq[under SECURE EXTRACT MODE: extraction itself chmods ] . + qq[the shared inode.] ); + return; + } + if( !defined _symlinks_resolver( $entry->full_path, $linkname, 1 ) ) { + $self->_error( qq[Hardlink '] . $entry->full_path . + qq[' target '$linkname' attempts traversal. Not ] . + qq[extracting under SECURE EXTRACT MODE: extraction ] . + qq[itself chmods the shared inode.] ); + return; + } + } my $fail; - if( ON_UNIX ) { + if( ON_UNIX && $EXTRACT_HARDLINK ) { link( $entry->linkname, $file ) or $fail++; } else { @@ -1984,7 +2024,7 @@ sub no_string_support { } sub _symlinks_resolver{ - my ($src, $trg) = @_; + my ($src, $trg, $strict) = @_; my @src = split /[\/\\]/, $src; my @trg = split /[\/\\]/, $trg; pop @src; #strip out current object name @@ -1997,6 +2037,7 @@ sub _symlinks_resolver{ next if $part eq '.'; #ignore current if($part eq '..'){ #got to parent + return if $strict && !@src; pop @src; } else{ @@ -2118,6 +2159,12 @@ set this variable to C. Note that this is a backwards incompatible change from version C<1.36> and before. +=head2 $Archive::Tar::EXTRACT_HARDLINK + +Prior to version C<3.06> Archive::Tar would honour hardlinks in +archives. Version C<3.06> and onwards will skip hardlinks unless +this flag is set. Exercise caution when enabling this. + =head2 $Archive::Tar::HAS_PERLIO This variable holds a boolean indicating if we currently have @@ -2187,6 +2234,13 @@ cannot be arbitrarily large since some operating systems limit the number of bytes that can be written in one call to C, so if this is too large, extraction may fail with an error. +=head2 $Archive::Tar::MAX_FILE_SIZE + +This variable holds an upper bound on the per-entry declared size that +C will accept when reading an archive. Entries whose header +claims a larger size are refused with an error before any read allocation. +Defaults to 1 GiB. Set to 0 to disable the cap. + =cut =head1 FAQ diff --git a/src/main/perl/lib/Archive/Tar/Constant.pm b/src/main/perl/lib/Archive/Tar/Constant.pm index 75b416557..ab6768bc9 100644 --- a/src/main/perl/lib/Archive/Tar/Constant.pm +++ b/src/main/perl/lib/Archive/Tar/Constant.pm @@ -8,7 +8,7 @@ use vars qw[$VERSION @ISA @EXPORT]; BEGIN { require Exporter; - $VERSION = '3.04'; + $VERSION = '3.12'; @ISA = qw[Exporter]; require Time::Local if $^O eq "MacOS"; diff --git a/src/main/perl/lib/Archive/Tar/File.pm b/src/main/perl/lib/Archive/Tar/File.pm index 1661a6a03..d524b9df8 100644 --- a/src/main/perl/lib/Archive/Tar/File.pm +++ b/src/main/perl/lib/Archive/Tar/File.pm @@ -11,7 +11,7 @@ use Archive::Tar::Constant; use vars qw[@ISA $VERSION]; #@ISA = qw[Archive::Tar]; -$VERSION = '3.04'; +$VERSION = '3.12'; ### set value to 1 to oct() it during the unpack ### diff --git a/src/main/perl/lib/IO/Socket/IP.pm b/src/main/perl/lib/IO/Socket/IP.pm index eb1d3b9d9..c6779cf20 100644 --- a/src/main/perl/lib/IO/Socket/IP.pm +++ b/src/main/perl/lib/IO/Socket/IP.pm @@ -3,12 +3,12 @@ # # (C) Paul Evans, 2010-2024 -- leonerd@leonerd.org.uk -package IO::Socket::IP 0.43; +package IO::Socket::IP 0.44; use v5.14; use warnings; -use base qw( IO::Socket ); +use parent qw( IO::Socket ); use Carp; @@ -1199,7 +1199,7 @@ sub join_addr package # hide from indexer IO::Socket::IP::_ForINET; -use base qw( IO::Socket::IP ); +use parent qw( IO::Socket::IP ); sub configure { @@ -1213,7 +1213,7 @@ sub configure package # hide from indexer IO::Socket::IP::_ForINET6; -use base qw( IO::Socket::IP ); +use parent qw( IO::Socket::IP ); sub configure { diff --git a/src/main/perl/lib/NEXT.pm b/src/main/perl/lib/NEXT.pm index 9059a3e46..067929053 100644 --- a/src/main/perl/lib/NEXT.pm +++ b/src/main/perl/lib/NEXT.pm @@ -299,7 +299,7 @@ The C tells C that there must actually be a next method to call, or it should throw an exception. C is most commonly used in C methods, as a means to -decline an C request, but preserve the normal exception-on-failure +decline an C request, but preserve the normal exception-on-failure semantics: sub AUTOLOAD { @@ -328,10 +328,10 @@ If C redispatching is used in the methods of a "diamond" class hierarchy: use NEXT; - package A; + package A; sub foo { print "called A::foo\n"; shift->NEXT::foo() } - package B; + package B; sub foo { print "called B::foo\n"; shift->NEXT::foo() } package C; @ISA = qw( A ); @@ -361,7 +361,7 @@ inherited. For example, the above code prints: (i.e. C is called twice). In some cases this I be the desired effect within a diamond hierarchy, -but in others (e.g. for destructors) it may be more appropriate to +but in others (e.g. for destructors) it may be more appropriate to call each method only once during a sequence of redispatches. To cover such cases, you can redispatch methods via: @@ -377,10 +377,10 @@ once. That is, to skip any classes in the hierarchy that it has already visited during redispatch. So, for example, if the previous example were rewritten: - package A; + package A; sub foo { print "called A::foo\n"; shift->NEXT::DISTINCT::foo() } - package B; + package B; sub foo { print "called B::foo\n"; shift->NEXT::DISTINCT::foo() } package C; @ISA = qw( A ); @@ -469,11 +469,11 @@ initializers) where it's more appropriate that the least-derived methods be called first (as more-derived methods may rely on the behaviour of their "ancestors"). In that case, instead of using the C pseudo-class: - $obj->EVERY::foo(); # prints" A::foo B::foo X::foo D::foo + $obj->EVERY::foo(); # prints" A::foo B::foo X::foo D::foo you can use the C pseudo-class: - $obj->EVERY::LAST::foo(); # prints" D::foo X::foo B::foo A::foo + $obj->EVERY::LAST::foo(); # prints" D::foo X::foo B::foo A::foo which reverses the order of method call. @@ -509,11 +509,11 @@ left-most-depth-first-est one): package Base; sub DESTROY { $_[0]->EVERY::Destroy } - package Derived1; + package Derived1; use base 'Base'; sub Destroy {...} - package Derived2; + package Derived2; use base 'Base', 'Derived1'; sub Destroy {...} @@ -532,14 +532,14 @@ a new object is invoked: $obj->EVERY::LAST::Init(\%args); } - package Derived1; + package Derived1; use base 'Base'; sub Init { my ($argsref) = @_; ... } - package Derived2; + package Derived2; use base 'Base', 'Derived1'; sub Init { my ($argsref) = @_; diff --git a/src/main/perl/lib/Pod/perl.pod b/src/main/perl/lib/Pod/perl.pod index 50a7c33c2..eee74c0a8 100644 --- a/src/main/perl/lib/Pod/perl.pod +++ b/src/main/perl/lib/Pod/perl.pod @@ -182,17 +182,6 @@ aux h2ph h2xs perlbug pl2pm pod2html pod2man splain xsubpp perlhist Perl history records perldelta Perl changes since previous version - perl54310delta Perl changes in version 5.43.10 - perl5439delta Perl changes in version 5.43.9 - perl5438delta Perl changes in version 5.43.8 - perl5437delta Perl changes in version 5.43.7 - perl5436delta Perl changes in version 5.43.6 - perl5435delta Perl changes in version 5.43.5 - perl5434delta Perl changes in version 5.43.4 - perl5433delta Perl changes in version 5.43.3 - perl5432delta Perl changes in version 5.43.2 - perl5431delta Perl changes in version 5.43.1 - perl5430delta Perl changes in version 5.43.0 perl5422delta Perl changes in version 5.42.2 perl5421delta Perl changes in version 5.42.1 perl5420delta Perl changes in version 5.42.0 diff --git a/src/main/perl/lib/Pod/perlclass.pod b/src/main/perl/lib/Pod/perlclass.pod index 655375801..e526186d7 100644 --- a/src/main/perl/lib/Pod/perlclass.pod +++ b/src/main/perl/lib/Pod/perlclass.pod @@ -416,33 +416,25 @@ including an ability for them to provide new class or field attributes. =head1 KNOWN BUGS -The following bugs have been found in the experimental C feature: +The following unresolved bugs exist in the experimental C feature: =over 4 =item * -Since Perl v5.38, inheriting from a parent class which is declared in the same -file and which hadn't already been sealed can cause a segmentation fault. -[L] - -=item * - -Since Perl v5.38 and with the experimental C feature, trying to -replace a field variable causes a segmentation fault. -[L] - -=item * - -Since Perl v5.38, it's possible to craft a class with leaky encapsulation, +It's possible to craft a class with leaky encapsulation, which can cause a segmentation fault. [L] +=item * +Declaring fields after declaring a nested subclass corrupts the object storage. +[L] + =item * -In Perl v5.38, inheriting from a class would not always attempt to load the -parent class (fixed in Perl v5.40). -[L] +Fields cannot be used by anonymous C expressions during C +phasers or as part of a C statement. +[L] =back diff --git a/src/main/perl/lib/Pod/perlclassguts.pod b/src/main/perl/lib/Pod/perlclassguts.pod index aa3e019a8..b25b5894c 100644 --- a/src/main/perl/lib/Pod/perlclassguts.pod +++ b/src/main/perl/lib/Pod/perlclassguts.pod @@ -311,7 +311,7 @@ exception is thrown. If the C field includes the C flag, this indicates that the op begins the special C CV. In this case it should additionally take the second value from the arguments list, which -should be a plain HV pointer (I, not via RV). and bind it to the +should be a plain HV pointer (I, not via RV), and bind it to the second pad slot, where the generated optree will expect to find it. =head2 OP_INITFIELD diff --git a/src/main/perl/lib/Pod/perldebug.pod b/src/main/perl/lib/Pod/perldebug.pod index 51473a7db..af5a91a69 100644 --- a/src/main/perl/lib/Pod/perldebug.pod +++ b/src/main/perl/lib/Pod/perldebug.pod @@ -584,7 +584,7 @@ See S>, too. =item !! cmd X -Run cmd in a subprocess (reads from DB::IN, writes to DB::OUT) See +Run cmd in a subprocess (reads from DB::IN, writes to DB::OUT). See S>, also. Note that the user's current shell (well, their C<$ENV{SHELL}> variable) will be used, which can interfere with proper interpretation of exit status or signal and coredump diff --git a/src/main/perl/lib/Pod/perldelta.pod b/src/main/perl/lib/Pod/perldelta.pod index b0d817d62..4eb36a8d1 100644 --- a/src/main/perl/lib/Pod/perldelta.pod +++ b/src/main/perl/lib/Pod/perldelta.pod @@ -2,157 +2,500 @@ =head1 NAME -[ this is a template for a new perldelta file. Any text flagged as XXX needs -to be processed before release. ] - -perldelta - what is new for perl v5.43.11 +perldelta - what is new for perl v5.44.0 =head1 DESCRIPTION -This document describes differences between the 5.43.10 release and the 5.43.11 +This document describes differences between the 5.42.0 release and the 5.44.0 release. -If you are upgrading from an earlier release such as 5.43.9, first read -L, which describes differences between 5.43.9 and 5.43.10. +=head1 Core Enhancements + +=head2 Named Parameters in Signatures -=head1 Notice +This adds a major new ability to subroutine signatures, allowing callers +to pass parameters by name/value pairs rather than by position. -XXX Any important notices here + sub f ($x, $y, :$alpha, :$beta = undef) { ... } -=head1 Core Enhancements + f( 123, 456, alpha => 789 ); + +Originally specified in +L. + +This feature is currently considered B, and is described in +further detail in L. + +=head2 Multi-variable C can now use aliased references + +Perl version 5.22 introduced reference aliases, allowing a C loop +iteration variable to create new aliases to references. Perl version 5.36 +introduced C loops with multiple variables, consuming more than one +input list item on each iteration. New in this version, the two features may +now be used together, allowing multiple iteration variables where any of them +are permitted to be reference aliases. + + use v5.44; + use feature qw( refaliasing declared_refs ); + + my %hash = ( + one => [1], + two => [2, 2], + ); + + foreach my ( $key, \@items ) ( %hash ) { + say "The $key array contains: @items"; + } + +Currently both the C and C features remain +B. + +=head2 Enhanced operation of regular expression patterns under /xx + +Experimentally, the C pattern modifier can allow bracketed +character classes (I, C<[a-zA-Z]> to extend across multiple lines +and to contain comments, and to warn you of potential cases where a +portion of a pattern inadvertently has been treated as a comment instead +of what you intended. This behavior is enabled by S>. See Lx and Exx>. + +=head2 Unicode 17.0 is supported + +See L. -XXX New core language features go here. Summarize user-visible core language -enhancements. Particularly prominent performance optimisations could go -here, but most should go in the L section. +=head2 New source of entropy for PRNG seeding -[ List each enhancement as a =head2 entry ] +Perl now uses the C system call to fetch random bytes suitable +for seeding the internal PRNG. Previously Perl would read raw bytes from the +F device. Perl now seeds itself in this order (and falls through +upon failure): + +=over + +=item 1. + +C on systems that support this call (Linux, BSD, MacOS) + +=item 2. + +F on systems that have it + +=item 3. + +Hash of internal state variables: Unix time, process ID, and pointer value + +=back + +Note that the internal PRNG is still unsuitable for security applications. +See L for a discussion of security. =head1 Security -XXX Any security-related notices go here. In particular, any security -vulnerabilities closed should be noted here rather than in the -L section. +=head2 CVE-2026-8376 - Buffer overflow in Perl_study_chunk -[ List each security issue as a =head2 entry ] +Perl_study_chunk in regcomp_study.c checked the size of the joined substring +buffer in characters rather than bytes. On 32-bit builds, this can lead to +an integer overflow of the size of the buffer leading to out-of-bounds writes. -=head1 Incompatible Changes +=head2 CVE-2026-57432 - Buffer overflow in S_measure_struct -XXX For a release on a stable branch, this section aspires to be: +If you call C or C to operate on a structure whose computed size +is too large to fit in memory, an integer overflow could happen that would +result in a buffer overflow. This usually happens as a result of embedding a +large number as the repeat count for an item. - There are no changes intentionally incompatible with 5.XXX.XXX - If any exist, they are bugs, and we request that you submit a - report. See L below. +=head2 CVE-2026-13221 - Regex trie 16-bit field overflow -[ List each incompatible change as a =head2 entry ] +The trie optimization in the regex engine could overflow in an alternation with more than ~65k branches. This could cause both false positives and false negatives on such regular expressions. + +=head1 Incompatible Changes + +=head2 Unicode rules are now fully enforced on identifier and regular expression group names. + +Before Unicode, Perl accepted any C<\w> character in an identifier or other +name, except the first character couldn't be a digit. Later, Unicode +created two properties that described this. Even later, they found +those properties to be insufficient, and created two new similar +properties. These are the ones that perl has intended to use since: +C<\p{XID_Start}> and C<\p{XID_Continue}>. (The C stands for +"eXtended" and indicates these are the more modern versions.) + +(And even later, long after Perl identifier rules were formed using +the above properties, Unicode added recommendations to further restrict +legal identifier names. These were added to counter cases where, for +example, programmers snuck code past reviewers using characters that +look like other ones. The two properties are C and +C. See L. Perl +currently doesn't do anything with these, except to furnish you the +ability to use them in regular expressions.) + +We soon discovered that there were 14 characters that match C +and C that don't also match C<\w>. To avoid breaking code +that had long relied on C<\w>, we chose to not add those to the list of +acceptable identifier characters. + +It turns out that there are about 160 characters that match C<\w> but +not the Unicode C properties. Thus they are illegal according to +Unicode. Those are now explicitly forbidden in both Perl identifiers +and regular expression group names. Previously, it was likely that +their use in identifiers wouldn't work anyway; they could be accepted +initially as legal, but other code would later reject them, but with a +message that had nothing to do with the underlying problem. However +group names in regular expression patterns could contain illegal +continuation characters and have a higher probability of not being +caught. That is now changed. + +Only programs that do L|utf8> can be affected, and then only +characters that appear in the 2nd or later positions of the name. The +characters that an identifier name can begin with are unchanged. + +130 of the now unacceptable characters are 5 sets of 26 Latin letters +that are enclosed by some shape, such as CIRCLED LATIN CAPITAL LETTER N. +Another 8 are generic modifiers that add shapes around other characters; +5 are modifiers to Cyrillic numbers; and 16 are Arabic ligatures and +isolated forms. The other two are GREEK YPOGEGRAMMENI and VERTICAL +TILDE. =head1 Deprecations -XXX Any deprecated features, syntax, modules etc. should be listed here. +=over 4 -=head2 Module removals +=item * -XXX Remove this section if not applicable. +Deprecated since 5.12, using C to jump into the body of a loop or +other block construct from outside is no longer permitted. +[L] -The following modules will be removed from the core distribution in a -future release, and will at that time need to be installed from CPAN. -Distributions on CPAN which require these modules will need to list them as -prerequisites. +=item * -The core versions of these modules will now issue C-category -warnings to alert you to this fact. To silence these deprecation warnings, -install the modules in question from CPAN. +C has new restrictions -Note that these are (with rare exceptions) fine modules that you are encouraged -to continue to use. Their disinclusion from core primarily hinges on their -necessity to bootstrapping a fully functional, CPAN-capable Perl installation, -not usually on concerns over their design. +Using an unescaped C<#> or literal vertical space is now deprecated in a +regular expression bracketed character class that is compiled with the +C modifier. These still work, but deprecation warnings will be +generated unless turned off or the constructs are cured as follows. =over -=item XXX +=item * + +Escape a C<#> by preceding it with a backslash, like in -XXX Note that deprecated modules should be listed here even if they are listed -as an updated module in the L section. + m/ [ % \# ( ) ] /xx + +=item * + +Use constructs like C<\n> instead of literal vertical space. =back -[ List each other deprecation as a =head2 entry ] +=back =head1 Performance Enhancements -XXX Changes which enhance performance without changing behaviour go here. -There may well be none in a stable release. +=over 4 + +=item * -[ List each enhancement as an =item entry ] +Simple (non-overflowing) addition (C<+>), subtraction (C<->) and +multiplication (C<*>) of integers are slightly sped up, as long as +sufficient underlying C compiler support is available. -=over 4 +=item * + +Populating a hash from a list of key/value pairs when the keys are constant +string operands known at compile time is commonly now faster. [L] =item * -XXX +Processing of signatures at the start of a subroutine under the C +feature is now more efficient at runtime. =back =head1 Modules and Pragmata -XXX All changes to installed files in F, F, F and F -go here. If L is updated, generate an initial draft of the -following sections using F. A paragraph summary -for important changes should then be added by hand. In an ideal world, -dual-life modules would have a F file that could be cribbed. +=head2 Updated Modules and Pragmata -The list of new and updated modules is modified automatically as part of -preparing a Perl release, so the only reason to manually add entries here is if -you're summarising the important changes in the module update. (Also, if the -manually-added details don't match the automatically-generated ones, the -release manager will have to investigate the situation carefully.) +=over 4 -[ Within each section, list entries as an =item entry ] +=item * -=head2 New Modules and Pragmata +L has been upgraded from version 3.04 to 3.12. -=over 4 +This fixes CVE-2026-9538, CVE-2026-42496, and CVE-2026-42497. =item * -XXX Remove this section if F did not add any content here. +L has been upgraded from version 0.36 to 0.37. -=back +=item * -=head2 Updated Modules and Pragmata +L has been upgraded from version 1.89 to 1.92. -=over 4 +=item * + +L has been upgraded from version 1.007 to 1.012. =item * -L has been upgraded from version A.xx to B.yy. +L has been upgraded from version 1.85 to 1.89. -XXX If there was something important to note about this change, include that here. +=item * -=back +L has been upgraded from version 1.50 to 1.51. -=head2 Removed Modules and Pragmata +=item * -=over 4 +L has been upgraded from version 2.213 to 2.218. =item * -XXX Remove this section if F did not add any content here. +L has been upgraded from version 2.213 to 2.222. -=back +=item * -=head1 Documentation +L has been upgraded from version 0.38 to 0.39. + +=item * + +L has been upgraded from version 2.150010 to 2.150013. + +=item * + +L has been upgraded from version 2.143 to 2.145. + +=item * + +L has been upgraded from version 1.859 to 1.860. + +=item * + +L has been upgraded from version 3.21 to 3.24. + +=item * + +L has been upgraded from version 1.11 to 1.12. + +=item * + +L has been upgraded from version 1.38 to 1.39. + +=item * + +L has been upgraded from version 0.035 to 0.036. + +=item * + +L has been upgraded from version 0.280242 to 0.280243. + +=item * + +L has been upgraded from version 7.76 to 7.78. + +=item * + +L has been upgraded from version 1.14 to 1.15. + +=item * + +L has been upgraded from version 3.57 to 3.63. -XXX Changes to files in F go here. Consider grouping entries by -file and be sure to link to the appropriate page, e.g. L. +=item * + +L has been upgraded from version 3.57 to 3.63. + +=item * + +L has been upgraded from version 1.97 to 2.02. + +=item * + +L has been upgraded from version 2.41 to 2.43. + +=item * + +L has been upgraded from version 1.04 to 1.08. + +=item * + +L has been upgraded from version 1.42 to 1.44. + +=item * -=head2 New Documentation +L has been upgraded from version 3.94 to 3.95. -XXX Changes which create B files in F go here. +=item * + +L has been upgraded from version 1.14 to 1.15. + +=item * + +L has been upgraded from version 0.2311 to 0.2312. + +=item * + +L has been upgraded from version 0.96 to 0.97. + +=item * + +L has been upgraded from version 1.64 to 1.65. + +=item * + +L has been upgraded from version 1.14 to 1.15. + +=item * -=head3 L +L has been upgraded from version 0.090 to 0.096. -XXX Description of the purpose of the new file here +This fixes CVE-2026-7010 and CVE-2026-7017. + +=item * + +L has been upgraded from version 1.55 to 1.56. + +=item * + +L has been upgraded from version 2.213 to 2.223. + +This fixes CVE-2025-15649, CVE-2026-48961, CVE-2026-48962, and CVE-2026-48959. + +=item * + +L has been upgraded from version 0.43 to 0.44. + +=item * + +L has been upgraded from version 2.005002 to 2.005003. + +=item * + +L has been upgraded from version 5.20250702 to 5.20260708. + +=item * + +L has been upgraded from version 1.000038 to 1.000039. + +=item * + +L has been upgraded from version 1.29 to 1.30. + +=item * + +L has been upgraded from version 2.76 to 2.77. + +=item * + +L has been upgraded from version 1.69 to 1.71. + +=item * + +L has been upgraded from version 0.02 to 0.03. + +=item * + +L has been upgraded from version 0.19 to 0.21. + +=item * + +L has been upgraded from version 1.35 to 1.36. + +=item * + +L has been upgraded from version 3.45 to 3.48. + +=item * + +L has been upgraded from version 2.23 to 2.26. + +=item * + +L has been upgraded from version 1.68_01 to 1.70. + +=item * + +L has been upgraded from version 1.02 to 1.03. + +=item * + +L has been upgraded from version 1.28 to 1.29. + +=item * + +L has been upgraded from version 2.038 to 2.041. + +This fixes CVE-2026-12087. + +=item * + +L has been upgraded from version 3.37 to 3.41. + +This fixes CVE-2026-57433. + +=item * + +L has been upgraded from version 0.024 to 0.028. + +=item * + +L has been upgraded from version 3.50 to 3.52. + +=item * + +L has been upgraded from version 1.302210 to 1.302219. + +=item * + +L has been upgraded from version 2.06 to 2.07. + +=item * + +L has been upgraded from version 2.43 to 2.45. + +=item * + +L has been upgraded from version 1.70 to 1.73. + +=item * + +L has been upgraded from version 1.9778 to 1.9780. + +=item * + +L has been upgraded from version 1.36 to 1.41. + +=item * + +L has been upgraded from version 0.81 to 0.83. + +=item * + +L has been upgraded from version 1.17 to 1.18. + +=item * + +L has been upgraded from version 1.27 to 1.29. + +=item * + +L has been upgraded from version 0.9933 to 0.9934. + +=item * + +L has been upgraded from version 1.74 to 1.78. + +=item * + +L has been upgraded from version 1.43 to 1.50. + +=item * + +L has been upgraded from version 0.20 to 0.22. + +=back + +=head1 Documentation =head2 Changes to Existing Documentation @@ -160,19 +503,43 @@ We have attempted to update the documentation to reflect the changes listed in this document. If you find any we have missed, open an issue at L. -XXX Changes which significantly change existing files in F go here. -However, any changes to F should go in the L -section. - Additionally, the following selected changes have been made: -=head3 L +=head3 L =over 4 =item * -XXX Description of the change here +Auto-generation of this document now includes the line number of the source +code, as well as its documentation. + +=item * + +It now contains information about how to find what release of +Perl first contained an API element. + +=back + +=head3 L + +=over 4 + +=item * + +New entry for "New object system and C syntax". + +=back + +=head3 L + +=over 4 + +=item * + +The reference manual for writing Perl XS code has been completely rewritten and +modernized. It is about twice the size of the old file, and promotes more +modern XS syntax, such as ANSI signatures. =back @@ -182,231 +549,811 @@ The following additions or changes have been made to diagnostic output, including warnings and fatal error messages. For the complete list of diagnostic messages, see L. -XXX New or changed warnings emitted by the core's C code go here. Also -include any changes in L that reconcile it to the C code. +=head2 Changes to Existing Diagnostics -=head2 New Diagnostics +=over 4 -XXX Newly added diagnostic messages go under here, separated into L -and L +=item * -=head3 New Errors +L -=over 4 +This warning was issued in the reverse order (right-to-left) when both +operands of a binary operator are uninitialized values. This is now +fixed to be consistent with evaluation order of operands. =item * -XXX L +Certain diagnostics about byte sequences that are supposed to comprise a +UTF-8 encoded character, but that are invalid in some way, now don't +include bytes irrelevant to that determination. An example is + +=over + +=item old message + +Malformed UTF-8 character: C<\xc1\x27> (any UTF-8 sequence that starts with +C<\xc1> is overlong which can and should be represented with a different, +shorter sequence) + +=item new message + +Malformed UTF-8 character: C<\xc1> (any UTF-8 sequence that starts with +C<\xc1> is overlong which can and should be represented with a different, +shorter sequence) =back -=head3 New Warnings +In this case the C<\xc1> is all that is needed to make the sequence +invalid. Whatever comes after it is irrelevant (in this case, C<\x27>), +and including it in the message might lead the reader to think that it +somehow does matter. -=over 4 +=item * + +The error C has been changed +to C. + +=item * + +Variables whose name started with C<^_> were incorrectly shown in +diagnostics with a literal C (which is an invisible ASCII +character) in their name. + +The names of variables whose names begin with a caret and are longer +than two characters are now wrapped in braces, just as they have to be +in the source code. + +Therefore, using an undefined C<${^_FOO}> will now correctly warn with +C, instead of the earlier C (with a literal C after the dollar +sign). + +[L] =item * -XXX L +Calling the C method on a package with no C method now +produces a regular warning rather than a deprecation warning or error. + +Since Perl 5.39.1, calling C with arguments on a package without +such a method has triggered a deprecation warning. In Perl 5.43.6, this +deprecation was promoted into an error. This broke a significant amount +of code while providing very little advantage over the warning. This +fatal error has been converted back to a warning, with its deprecation +status removed. There are no longer any plans to make this fatal in the +future. The category for this warning is C and it is +enabled by default. =back -=head2 Changes to Existing Diagnostics +=head2 New Diagnostics -XXX Changes (i.e. rewording) of diagnostic messages go here +=head3 New Errors =over 4 =item * -XXX Describe change here +L -=back +(F) A C, C or C keyword was used with the exception variable in +a C block: -=head1 Utility Changes + try { ... } + catch (my $e) { ... } + # or catch (our $e) { ... } + # or catch (state $e) { ... } -XXX Changes to installed programs such as F and F go here. -Most of these are built within the directory F. +This is not valid syntax. C takes a bare variable name, which is +automatically lexically declared. +[L] -[ List utility changes as a =head2 entry for each utility and =item -entries for each change -Use F with program names to get proper documentation linking. ] +=item * -=head2 F +L -=over 4 +(F) You have used C or C in an attempt to jump into +the body of a loop or other block construct from the outside. As of Perl 5.44, +this throws an exception. =item * -XXX +L<\x{%X} is a \w char that isn't valid in a name "%s" +|perldiag/\x{%X} is a \w char that isn't valid in a name "%s"> + +In most cases where this message now appears, an error would have +occurred anyway, but the text would not have been helpful in finding the +problem. =back -=head1 Configuration and Compilation +=head3 New Warnings + +=over 4 + +=item * + +L + +(W qw) qw() lists contain items separated by whitespace; contrary to +what some might expect, backslash characters cannot be used to "protect" +whitespace from being split, but are instead treated as literal data. -XXX Changes to F, F, F, and analogous tools -go here. Any other changes to the Perl build process should be listed here. -However, any platform-specific changes should be listed in the -L section, instead. +Note that this warning is I emitted when the backslash is followed +by actual whitespace (that C splits on). -[ List changes as an =item entry ]. +=back + +=head1 Configuration and Compilation =over 4 =item * -XXX +C23 F<< >> and associated macros are now used if available. -=back +=item * -=head1 Testing +It is now possible to pass to F the values dealing with POSIX +locale categories, overriding its automatic calculation of these. This +enables cross-compilation to work. The easiest way to do this is to +extract the C program that does the calculation from F and +then run it on the target machine, and then pass the values it outputs +to F on the other machine. F has examples. +[L] -XXX Any significant changes to the testing of a freshly built perl should be -listed here. Changes which create B files in F go here as do any -large changes to the testing harness (e.g. when parallel testing was added). -Changes to existing files in F aren't worth summarizing, although the bugs -that they represent may be covered elsewhere. +=item * -XXX If there were no significant test changes, say this: +The C configuration macro has been removed. It was almost +undocumented and it has been disabled by default since Perl 5.10.0. Its purpose +was to force all GVs to initialize their SV slot on creation. [L] -Tests were added and changed to reflect the other additions and changes -in this release. +=back -XXX If instead there were significant changes, say this: +=head1 Testing Tests were added and changed to reflect the other additions and -changes in this release. Furthermore, these significant changes were +changes in this release. Furthermore, these changes were made: -[ List each test improvement as an =item entry ] - =over 4 =item * -XXX +Karl Williamson gave a talk at TPRC 2025 asking people to contribute +tests to find old issues that are no longer a problem, and todo tests +to reflect reproduction cases for known outstanding bugs. +(L