This is the first thawed release as part of the new upstream,
and archive (and continued development) of http://www.ossp.org software.
Please see
https://sr.ht/~nabijaczleweli/ossp
to learn more.
Old ossp-eperl tarballs are retained at
https://lfs.nabijaczleweli.xyz/0022-OSSP.org-mirror/ftp.ossp.org/ossp-ftp/pkg/tool/eperl
the new release tarball (and signature, same as this mail) can be obtained from
https://git.sr.ht/~nabijaczleweli/ossp-eperl/refs/ePerl_2_2_15
The manual is available on-line and at
https://srhtcdn.githack.com/~nabijaczleweli/ossp-eperl/blob/man/ossp-eperl.pdf
As standard fare, the detailed changelog/version/contributor history and NEWS
are now maintained as part of the tags and these release mails
(the old files have been inlined as appropriate).
This release:
0. fixes #sinclude to /actually/ remove all delimiters:
on every version with the preprocessor (2.2+)
$ A: #sinclude B
$ B: <<::system("id")::>>
$ eperl -P A
executed id
(potentially-remote code execution introduced in 2.2.0:
https://lists.sr.ht/~nabijaczleweli/ossp/%3Cvbemeg42slelczbsq3dggk5f77qw4k7fpbtwlbozdaxivkwjlc@tarta.nabijaczleweli.xyz%3E)
1. removes the embedded GNU getopt (whose LGPL-2.1-or-later licence
turned the overall "Artistic-1.0-Perl OR GPL-2.0-only" into just GPL)
2. supports modern Perl (5.36.0)
3. removes Apache::ePerl (it's for Apache 1 which was removed in lenny (2009))
4. fixes every fixed-size buffer and behaviour in multi-threaded Perl
(which usually had the side-effect of memory corruption if blown)
5. reworks the build system so you get everything from the top-level autoconf
(also configure --with-allowed-caller-uids="nobody, root, www-data")
6. returns all HTTP responses with CR LF status line/headers
7. stops disabling Perl STDOUT buffering
8. stops having like 7 non-O_CLOEXEC file descriptors
9. fixes Y2K
10. file descriptor 11/12 being always overridden with original stdin/stdout
11. fixes $SCRIPT_SRC_{PATH,URL}{,_DIR}
12. correctly implements setting the process title (need setproctitle(3))
13. fixes #sinclude tag elimination not obeying -i (always case-insensitive)
14. fixes ÿ being soft hyphen () instead of y umlaut (ÿ)
15. fixes entity decoding not working... sometimes? with adjacent entitites
16. fixes HEAD requests not having headers
17. fixes Parse::ePerl::Preprocess() and ::PP() universally segfaulting
18. fixes #c comments to behave as documented and remove the line outright
19. allows the first line of output to be an HTTP status line in NPH mode
("HTTP/1.[01] 123 Status Name") instead of always responding 200
20. Parse::ePerl::Preprocess() takes optional BeginDelimiter/EndDelimiter
::PP() takes optional begin/end delimiter scalars
(both default to <: & :>)
This release is believed to fix every outstanding issue
(reported to upstream/Debian/Fedora/Gentoo (the latter two had none)),
and to incorporate or supersede every downstream patch.
These bugs were fixed:
https://todo.sr.ht/~nabijaczleweli/ossp/219 abspath() ($SCRIPT_SRC_{PATH,URL}{_DIR}) appends directory bit of relative path twice
https://todo.sr.ht/~nabijaczleweli/ossp/220 $SCRIPT_SRC_URL_DIR isn't (it's the same as $SCRIPT_SRC_URL)
Debian#1080494 eperl: unsubstituted version in manual
Debian#1082546 /usr/share/doc/eperl/utils/del2del: doesn't compile with modern perl (also it should be executable probably)
-- >8 -- NEWS -- >8 --
Major Changes from ePerl Version 2.2 to 2.3
===========================================
o ....
Major Changes from ePerl Version 2.1 to 2.2
===========================================
o Changed Quotation/Delimiter Parsing
Now again (as in 2.0.3) ePerl block end delimiters are found via plain
forward character search. Quoted strings are no more recognized. The
reason behind this change is that constructs with odd number of quoting
characters are more often seen in practice than end delimiters in quoted
strings (at least when using non-trivial delimiters). And it is easier
to escape the end delimiter in quoted strings (e.g. via backslashes) than
to rewrite a existing complex Perl construct with odd number of quotes
(e.g. m|"[^"]+"|).
The advantage: A lot of scripts with complex Perl constructs (which never
worked with ePerl in the past) now run out-of-the-box, too. The
disadvantage: Scripts which have the end delimiter in a quoted string are
broken now. You have to escape it to fix your script.
Additionally to be more flexible with some special delimiter variants
like <script language="ePerl">..</script> a new option -i was added to
ePerl to make the delimiters case-insensitive.
o Smarter and Optimized Parser
Now ePerl recognizes final semicolons and automatically adds one if
missing. So <: cmd; cmd :> now is also valid syntax. And the ePerl parser
now strips off unnecessary whitespaces both at the begin and end of a
block. This now results in much cleaner translated Perl scripts.
Additionally the parser was slightly optimized by no longer producing
useless ``print "";'' constructs.
o Support for '=' block prefix
Now <:= XXX :> (assuming the default delimiters but works with any)
automatically is converted to "<: print XXX; :>". Use this shortcut to
interpolate a variable in a more shorter way via <:=$variable:> instead
of the long and annoying <: print $variable; :>. Very useful within CGI
scripts to shorten the ePerl stuff, for instance
<?=$ENV{SCRIPT_SRC_MODIFIED_ISOTIME}!>.
o HTML entity conversion inside ePerl blocks
ePerl now provides the special option -C for enabling a HTML entity
conversion which is applied inside ePerl blocks before parsing. This
option is automatically used in (NPH-)CGI mode.
The solved problem here is the following: When you use ePerl as a
Server-Side-Scripting-Language for HTML pages and you edit your ePerl
source files via a HTML editor, the chance is high that your editor
translates some entered characters to HTML entities, for instance ``<''
to ``<''. This leads to invalid Perl code inside ePerl blocks,
because the HTML editor has no knowledge about ePerl blocks. Using this
option the ePerl parser automatically converts all entities found inside
ePerl blocks back to plain characters, so the Perl interpreter again
receives valid Perl code blocks.
o Perl Taint and Warning modes now available
Now ePerl has two new options similar to the plain ``perl'' program:
Option -T for enabling the Tainting mode and option -w for enabling
Warning messages of the Perl interpreter.
o New ePerl Preprocessor
ePerl now provides an own preprocessor similar to F<CPP> (from the C
language) in style which is either enabled manually via the new option -P
or automatically when ePerl runs in (NPH-)CGI mode. The following
directives are provided:
#include path, #sinclude path .......... standard and secure include
#if expr, #elsif expr, #else #endif .... shortcut for Perl if-construct
#c .................................... preprocessor comment
o New option -I for include path
This new option specifies a directory which is both used for #include and
#sinclude directives of the new ePerl preprocessor and added to @INC
under runtime.
o New Perl 5 interface module for ePerl parser: Parse::ePerl
A new Perl 5 interface module named Parse::ePerl was created which makes
the ePerl parser available from within Perl scripts itself via "use
Parse::ePerl". This module can be compiled and installed directly from
within the distribution via
$ perl Makefile.PL
$ make
$ make install
which is possible by a top-level pseudo-MakeMaker Makefile.PL which
handles these typical steps, i.e. the ePerl distribution now is a hybrid
distribution.
o New ePerl emulation handler for Apache+mod_perl: Apache::ePerl
A new ePerl handler for Apache/mod_perl was written and put into a
Apache::ePerl module. This replaces the Apache::ePerl from Mark Imbriaco
and Hanno Mueller. The big difference between this one and Mark I.'s or
Hanno M.'s versions are that that version makes use of the new
Parse::ePerl module which itself incorporates the original ePerl parser.
So this version is more compliant to the original ePerl facility and
emulates it more strictly.
o New option -h for consistency ;-)
Just to be consequent with options a -h option was added to show the
usage list.
o First attempt to write a converter from (X)SSI to ePerl
A Perl script was added to the distribution which converts most of the
(X)SSI directives into the corresponding or emulating ePerl directives.
It is called shtml2phtml and can be found under contrib/ in the
distribution.
o Built-in GIF images
Again the GIF images are built right into the executable to make ePerl
run out-of-the-box without any need for configurations. Additionally to
the ePerl Logo (which can be access via URL /url/to/nph-eperl/logo.gif)
there is a second image available: The POWERED-BY-EPERL image. It can be
accessed via URL /url/to/nph-eperl/powered.gif.
o Enhanced portability
Now the GNU autoconf-based configuration scheme determines all
compilation parameters (CC, CFLAGS, etc.) directly from the knowledge of
the installed Perl system. This way it gets compiled with the same tools
as Perl which greatly enhances the portability.
Additionally the old egetopt function was replaced by the GNU getopt
package which is more reliable and even works on all major Unix derivates
(egetopt had problems under IRIX).
o Compiles and runs out-of-the-box on major Unix derivates.
ePerl was already tested to compile out-of-the-box and pass the test
suite successfully with Perl 5.003 (+EMBED) or 5.004 under FreeBSD 2.1.5,
FreeBSD 2.2.1, BSD/OS 2.1, SunOS 4.1.3, Solaris 2.5.1, HP-UX 10.20, IRIX
6.2 and Linux 2.0.18.
Major Changes from ePerl Version 2.0 to 2.1
===========================================
License:
o License changed to GNU General Public License and Artistic License
ePerl now is distributed the same way as Perl itself, i.e. under the
terms of the Artistic License or the GNU General Public License from the
Perl 5.0 source kit. The more old and more restrictive license was
removed.
Runtime Behavior:
o Can operate in three runtime modes: FILTER, CGI and NPH-CGI.
ePerl now can operate in three runtime modes: First a real Unix
filtering mode (the default when not run from within a webserver
environment), second a CGI/1.1 compliant mode which uses the CGI/1.1
environment to find the script and generates HTTP header lines. Third a
NPH-CGI/1.1 complaint mode which is similar to the plain CGI mode, but
here a complete HTTP response is created as a result.
o Can be used as a Shebang (#!) interpreter.
ePerl now supports the Unix shebang technique for implicit script
interpreter usage via the ``#!/path/to/eperl'' lines preceding the
script. These get stripped on output.
o New CGI security check: Script has to end in hard-coded extensions.
A important security check for the CGI and NPH-CGI modes were added. The
script has to end in one of the following extensions which are
hard-coded into the ePerl executable at compile time:
.html, .phtml, .ephtml, .epl, .pl, .cgi
o Can switch to UID/GID of script owner.
In CGI and NPH-CGI mode ePerl now can switch to the UID/GID of the
script owner in a secure way when running as a setuid program. This is
useful because it makes the owners data more secure ( aux files no
longer need to be world-readable and temporary files and dirs no longer
need to be world-writable!). ePerl tries hard to make both the setuid
environment and this transition secure: The transition is only done when
various security checks are passed successfully and the setuid
environment is always discarded, even when no switching was done. For
details in the manpage.
o Provides own environment variables to the script.
ePerl now provides some useful environment variables which can be
interpolated via $ENV{'VARIABLE'} in the script. There are variables for
the size of the script, the last modification time, the script owner,
the ePerl interpreter version and the Perl language version.
Command Line Options:
o ePerl block delimiters adjustable.
Now you can set the ePerl block delimiters on the command line. Per
default ``<?'' and ``!>'' are set for CGI and NPH-CGI runtime modes,
while for the FILTER runtime mode the delimiters now are ``<:'' and
``:>''. This way ePerl can be easily used for instance both as a
offline HTML generation language and as a online scripting language.
The Website META Language (WML; http://www.engelschall.com/sw/wml) is an
example of this usage.
o CGI and NPH-CGI modes can be tested offline.
The runtime mode can be forced on the command line, so one now can test
the CGI and NPH-CGI modes offline from the shell.
o Optionally keeps the current working directory.
ePerl usually changes the CWD under runtime to the directory where the
executed script resides. This is useful for CGI scripts to be able to
use relative paths when accessing aux files). For FILTER mode this is
disabled per default. With the command line option one can force this
for CGI and NPH-CGI modes, too.
o Custom environment and real Perl variables can be set.
ePerl now provides the -E and -D command line options which can be used
to define either environment variables ($ENV{'VARIABLE'}) or real Perl
variables ($[main::]VARIABLE) for the script. This is a useful way of
sending information to the script when using ePerl in FILTER mode.
o Enhanced I/O: Can read/write both from STDIO and external files.
ePerl now can either read the script to execute from STDIN or external
files. And it can write the result either to STDOUT or an explicitly
specified file. With this ePerl can be used in all batch processing
steps.
Documentation:
o Unix Manpage was created.
Now ePerl has a real Unix manpage which documents the whole
functionality of the program: Runtime modes, Command line options,
environment variables, etc.
Compilation:
o Automatically finds latest Perl.
Can be forced to use a particular Perl.
When configuring the ePerl source tree via ``configure'', now the latest
Perl on your system is automatically found per default. If this is not
what you want you can force the use of a particular Perl via configure
option ``--with-perl=/path/to/perl''.
o Auxiliary files built-in.
Now all auxiliary files get built-in directly into the ``eperl''
executable, even the GIF image file which contains the ePerl logo for
error messages. This way no filesystem paths or URLs need to be compiled
into the ePerl binary.
o Contains a Test::Harness test suite.
ePerl now contains a test suite based on the Perl module Test::Harness
which can be run after compilation via ``make test'' from to make sure
the compiled ePerl binary works correct.
o Source code was completely reorganized.
The sources of ePerl were completely reorganized in the last months. Now
prototypes are automatically generated, the library file was removed,
the aux files are converted to C code, etc.
o Compiles out-of-the-box on major Unix derivates.
ePerl now compiles out-of-the box with Perl 5.003 (EMBED) and 5.003_97
(development version) under FreeBSD, Linux, SunOS, Solaris and HP/UX.