/ 
perl-5.9.5
River stage five • 12548 direct dependents • 35191 total dependents
/ lib/Module/Pluggable.pm
Security Advisories (24)
CVE-2011-2728 (2012-12-21)

The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2013-1667 (2013-03-14)

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVE-2010-4777 (2014-02-10)

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash.

CVE-2010-1158 (2010-04-20)

Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string.

CVE-2009-3626 (2009-10-29)

Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.

CVE-2005-3962 (2005-12-01)

Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.

CVE-2012-5195 (2012-12-18)

Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

CVE-2016-2381 (2016-04-08)

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVE-2013-7422 (2015-08-16)

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

CVE-2011-1487 (2011-04-11)

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

NAME

Module::Pluggable - automatically give your module the ability to have plugins

SYNOPSIS

Simple use Module::Pluggable -

package MyClass;
use Module::Pluggable;

and then later ...

use MyClass;
my $mc = MyClass->new();
# returns the names of all plugins installed under MyClass::Plugin::*
my @plugins = $mc->plugins();

EXAMPLE

Why would you want to do this? Say you have something that wants to pass an object to a number of different plugins in turn. For example you may want to extract meta-data from every email you get sent and do something with it. Plugins make sense here because then you can keep adding new meta data parsers and all the logic and docs for each one will be self contained and new handlers are easy to add without changing the core code. For that, you might do something like ...

package Email::Examiner;

use strict;
use Email::Simple;
use Module::Pluggable require => 1;

sub handle_email {
    my $self  = shift;
    my $email = shift;

    foreach my $plugin ($self->plugins) {
        $plugin->examine($email);
    }

    return 1;
}

.. and all the plugins will get a chance in turn to look at it.

This can be trivally extended so that plugins could save the email somewhere and then no other plugin should try and do that. Simply have it so that the examine method returns 1 if it has saved the email somewhere. You might also wnat to be paranoid and check to see if the plugin has an examine method.

foreach my $plugin ($self->plugins) {
    next unless $plugin->can('examine');
    last if     $plugin->examine($email);
}

And so on. The sky's the limit.

DESCRIPTION

Provides a simple but, hopefully, extensible way of having 'plugins' for your module. Obviously this isn't going to be the be all and end all of solutions but it works for me.

Essentially all it does is export a method into your namespace that looks through a search path for .pm files and turn those into class names.

Optionally it instantiates those classes for you.

ADVANCED USAGE

Alternatively, if you don't want to use 'plugins' as the method ...

package MyClass;
use Module::Pluggable sub_name => 'foo';

and then later ...

my @plugins = $mc->foo();

Or if you want to look in another namespace

package MyClass;
use Module::Pluggable search_path => ['Acme::MyClass::Plugin', 'MyClass::Extend'];

or directory

use Module::Pluggable search_dirs => ['mylibs/Foo'];

Or if you want to instantiate each plugin rather than just return the name

package MyClass;
use Module::Pluggable instantiate => 'new';

and then

# whatever is passed to 'plugins' will be passed 
# to 'new' for each plugin 
my @plugins = $mc->plugins(@options);

alternatively you can just require the module without instantiating it

package MyClass;
use Module::Pluggable require => 1;

since requiring automatically searches inner packages, which may not be desirable, you can turn this off

package MyClass;
use Module::Pluggable require => 1, inner => 0;

You can limit the plugins loaded using the except option, either as a string, array ref or regex

package MyClass;
use Module::Pluggable except => 'MyClass::Plugin::Foo';

or

package MyClass;
use Module::Pluggable except => ['MyClass::Plugin::Foo', 'MyClass::Plugin::Bar'];

or

package MyClass;
use Module::Pluggable except => qr/^MyClass::Plugin::(Foo|Bar)$/;

and similarly for only which will only load plugins which match.

Remember you can use the module more than once

package MyClass;
use Module::Pluggable search_path => 'MyClass::Filters' sub_name => 'filters';
use Module::Pluggable search_path => 'MyClass::Plugins' sub_name => 'plugins';

and then later ...

my @filters = $self->filters;
my @plugins = $self->plugins;

INNER PACKAGES

If you have, for example, a file lib/Something/Plugin/Foo.pm that contains package definitions for both Something::Plugin::Foo and Something::Plugin::Bar then as long as you either have either the require or instantiate option set then we'll also find Something::Plugin::Bar. Nifty!

OPTIONS

You can pass a hash of options when importing this module.

The options can be ...

sub_name

The name of the subroutine to create in your namespace.

By default this is 'plugins'

search_path

An array ref of namespaces to look in.

search_dirs

An array ref of directorys to look in before @INC.

instantiate

Call this method on the class. In general this will probably be 'new' but it can be whatever you want. Whatever arguments are passed to 'plugins' will be passed to the method.

The default is 'undef' i.e just return the class name.

require

Just require the class, don't instantiate (overrides 'instantiate');

inner

If set to 0 will not search inner packages. If set to 1 will override require.

only

Takes a string, array ref or regex describing the names of the only plugins to return. Whilst this may seem perverse ... well, it is. But it also makes sense. Trust me.

except

Similar to only it takes a description of plugins to exclude from returning. This is slightly less perverse.

package

This is for use by extension modules which build on Module::Pluggable: passing a package option allows you to place the plugin method in a different package other than your own.

file_regex

By default Module::Pluggable only looks for .pm files.

By supplying a new file_regex then you can change this behaviour e.g

file_regex => qr/\.plugin$/

METHODs

search_path

The method search_path is exported into you namespace as well. You can call that at any time to change or replace the search_path.

$self->search_path( add => "New::Path" ); # add
$self->search_path( new => "New::Path" ); # replace

FUTURE PLANS

This does everything I need and I can't really think of any other features I want to add. Famous last words of course

Recently tried fixed to find inner packages and to make it 'just work' with PAR but there are still some issues.

However suggestions (and patches) are welcome.

AUTHOR

Simon Wistow <simon@thegestalt.org>

COPYING

Copyright, 2006 Simon Wistow

Distributed under the same terms as Perl itself.

BUGS

None known.

SEE ALSO

File::Spec, File::Find, File::Basename, Class::Factory::Util, Module::Pluggable::Ordered