Provided by: tcl8.6-doc_8.6.12+dfsg-1build1_all 
NAME
safe - Creating and manipulating safe interpreters
SYNOPSIS
::safe::interpCreate ?child? ?options...?
::safe::interpInit child ?options...?
::safe::interpConfigure child ?options...?
::safe::interpDelete child
::safe::interpAddToAccessPath child directory
::safe::interpFindInAccessPath child directory
::safe::setLogCmd ?cmd arg...?
OPTIONS
?-accessPath pathList? ?-statics boolean? ?-noStatics? ?-nested boolean? ?-nestedLoadOk?
?-deleteHook script?
_________________________________________________________________________________________________
DESCRIPTION
Safe Tcl is a mechanism for executing untrusted Tcl scripts safely and for providing
mediated access by such scripts to potentially dangerous functionality.
Safe Tcl ensures that untrusted Tcl scripts cannot harm the hosting application. It
prevents integrity and privacy attacks. Untrusted Tcl scripts are prevented from
corrupting the state of the hosting application or computer. Untrusted scripts are also
prevented from disclosing information stored on the hosting computer or in the hosting
application to any party.
Safe Tcl allows a parent interpreter to create safe, restricted interpreters that contain
a set of predefined aliases for the source, load, file, encoding, and exit commands and
are able to use the auto-loading and package mechanisms.
No knowledge of the file system structure is leaked to the safe interpreter, because it
has access only to a virtualized path containing tokens. When the safe interpreter
requests to source a file, it uses the token in the virtual path as part of the file name
to source; the parent interpreter transparently translates the token into a real directory
name and executes the requested operation (see the section SECURITY below for details).
Different levels of security can be selected by using the optional flags of the commands
described below.
All commands provided in the parent interpreter by Safe Tcl reside in the safe namespace.
COMMANDS
The following commands are provided in the parent interpreter:
::safe::interpCreate ?child? ?options...?
Creates a safe interpreter, installs the aliases described in the section ALIASES
and initializes the auto-loading and package mechanism as specified by the supplied
options. See the OPTIONS section below for a description of the optional
arguments. If the child argument is omitted, a name will be generated.
::safe::interpCreate always returns the interpreter name.
The interpreter name child may include namespace separators, but may not have
leading or trailing namespace separators, or excess colon characters in namespace
separators. The interpreter name is qualified relative to the global namespace ::,
not the namespace in which the ::safe::interpCreate command is evaluated.
::safe::interpInit child ?options...?
This command is similar to interpCreate except it that does not create the safe
interpreter. child must have been created by some other means, like interp create
-safe. The interpreter name child may include namespace separators, subject to the
same restrictions as for interpCreate.
::safe::interpConfigure child ?options...?
If no options are given, returns the settings for all options for the named safe
interpreter as a list of options and their current values for that child. If a
single additional argument is provided, it will return a list of 2 elements name
and value where name is the full name of that option and value the current value
for that option and the child. If more than two additional arguments are provided,
it will reconfigure the safe interpreter and change each and only the provided
options. See the section on OPTIONS below for options description. Example of
use:
# Create new interp with the same configuration as "$i0":
set i1 [safe::interpCreate {*}[safe::interpConfigure $i0]]
# Get the current deleteHook
set dh [safe::interpConfigure $i0 -del]
# Change (only) the statics loading ok attribute of an
# interp and its deleteHook (leaving the rest unchanged):
safe::interpConfigure $i0 -delete {foo bar} -statics 0
::safe::interpDelete child
Deletes the safe interpreter and cleans up the corresponding parent interpreter
data structures. If a deleteHook script was specified for this interpreter it is
evaluated before the interpreter is deleted, with the name of the interpreter as an
additional argument.
::safe::interpFindInAccessPath child directory
This command finds and returns the token for the real directory directory in the
safe interpreter's current virtual access path. It generates an error if the
directory is not found. Example of use:
$child eval [list set tk_library \
[::safe::interpFindInAccessPath $name $tk_library]]
::safe::interpAddToAccessPath child directory
This command adds directory to the virtual path maintained for the safe interpreter
in the parent, and returns the token that can be used in the safe interpreter to
obtain access to files in that directory. If the directory is already in the
virtual path, it only returns the token without adding the directory to the virtual
path again. Example of use:
$child eval [list set tk_library \
[::safe::interpAddToAccessPath $name $tk_library]]
::safe::setLogCmd ?cmd arg...?
This command installs a script that will be called when interesting life cycle
events occur for a safe interpreter. When called with no arguments, it returns the
currently installed script. When called with one argument, an empty string, the
currently installed script is removed and logging is turned off. The script will
be invoked with one additional argument, a string describing the event of interest.
The main purpose is to help in debugging safe interpreters. Using this facility
you can get complete error messages while the safe interpreter gets only generic
error messages. This prevents a safe interpreter from seeing messages about
failures and other events that might contain sensitive information such as real
directory names.
Example of use:
::safe::setLogCmd puts stderr
Below is the output of a sample session in which a safe interpreter attempted to
source a file not found in its virtual access path. Note that the safe interpreter
only received an error message saying that the file was not found:
NOTICE for child interp10 : Created
NOTICE for child interp10 : Setting accessPath=(/foo/bar) staticsok=1 nestedok=0 deletehook=()
NOTICE for child interp10 : auto_path in interp10 has been set to {$p(:0:)}
ERROR for child interp10 : /foo/bar/init.tcl: no such file or directory
OPTIONS
The following options are common to ::safe::interpCreate, ::safe::interpInit, and
::safe::interpConfigure. Any option name can be abbreviated to its minimal non-ambiguous
name. Option names are not case sensitive.
-accessPath directoryList
This option sets the list of directories from which the safe interpreter can source
and load files. If this option is not specified, or if it is given as the empty
list, the safe interpreter will use the same directories as its parent for auto-
loading. See the section SECURITY below for more detail about virtual paths,
tokens and access control.
-statics boolean
This option specifies if the safe interpreter will be allowed to load statically
linked packages (like load {} Tk). The default value is true : safe interpreters
are allowed to load statically linked packages.
-noStatics
This option is a convenience shortcut for -statics false and thus specifies that
the safe interpreter will not be allowed to load statically linked packages.
-nested boolean
This option specifies if the safe interpreter will be allowed to load packages into
its own sub-interpreters. The default value is false : safe interpreters are not
allowed to load packages into their own sub-interpreters.
-nestedLoadOk
This option is a convenience shortcut for -nested true and thus specifies the safe
interpreter will be allowed to load packages into its own sub-interpreters.
-deleteHook script
When this option is given a non-empty script, it will be evaluated in the parent
with the name of the safe interpreter as an additional argument just before
actually deleting the safe interpreter. Giving an empty value removes any
currently installed deletion hook script for that safe interpreter. The default
value ({}) is not to have any deletion call back.
ALIASES
The following aliases are provided in a safe interpreter:
source fileName
The requested file, a Tcl source file, is sourced into the safe interpreter if it
is found. The source alias can only source files from directories in the virtual
path for the safe interpreter. The source alias requires the safe interpreter to
use one of the token names in its virtual path to denote the directory in which the
file to be sourced can be found. See the section on SECURITY for more discussion
of restrictions on valid filenames.
load fileName
The requested file, a shared object file, is dynamically loaded into the safe
interpreter if it is found. The filename must contain a token name mentioned in
the virtual path for the safe interpreter for it to be found successfully.
Additionally, the shared object file must contain a safe entry point; see the
manual page for the load command for more details.
file ?subCmd args...?
The file alias provides access to a safe subset of the subcommands of the file
command; it allows only dirname, join, extension, root, tail, pathname and split
subcommands. For more details on what these subcommands do see the manual page for
the file command.
encoding ?subCmd args...?
The encoding alias provides access to a safe subset of the subcommands of the
encoding command; it disallows setting of the system encoding, but allows all
other subcommands including system to check the current encoding.
exit The calling interpreter is deleted and its computation is stopped, but the Tcl
process in which this interpreter exists is not terminated.
SECURITY
Safe Tcl does not attempt to completely prevent annoyance and denial of service attacks.
These forms of attack prevent the application or user from temporarily using the computer
to perform useful work, for example by consuming all available CPU time or all available
screen real estate. These attacks, while aggravating, are deemed to be of lesser
importance in general than integrity and privacy attacks that Safe Tcl is to prevent.
The commands available in a safe interpreter, in addition to the safe set as defined in
interp manual page, are mediated aliases for source, load, exit, and safe subsets of file
and encoding. The safe interpreter can also auto-load code and it can request that
packages be loaded.
Because some of these commands access the local file system, there is a potential for
information leakage about its directory structure. To prevent this, commands that take
file names as arguments in a safe interpreter use tokens instead of the real directory
names. These tokens are translated to the real directory name while a request to, e.g.,
source a file is mediated by the parent interpreter. This virtual path system is
maintained in the parent interpreter for each safe interpreter created by
::safe::interpCreate or initialized by ::safe::interpInit and the path maps tokens
accessible in the safe interpreter into real path names on the local file system thus
preventing safe interpreters from gaining knowledge about the structure of the file system
of the host on which the interpreter is executing. The only valid file names arguments
for the source and load aliases provided to the child are path in the form of [file join
token filename] (i.e. when using the native file path formats: token/filename on Unix and
token\filename on Windows), where token is representing one of the directories of the
accessPath list and filename is one file in that directory (no sub directories access are
allowed).
When a token is used in a safe interpreter in a request to source or load a file, the
token is checked and translated to a real path name and the file to be sourced or loaded
is located on the file system. The safe interpreter never gains knowledge of the actual
path name under which the file is stored on the file system.
To further prevent potential information leakage from sensitive files that are
accidentally included in the set of files that can be sourced by a safe interpreter, the
source alias restricts access to files meeting the following constraints: the file name
must fourteen characters or shorter, must not contain more than one dot (“.”), must end up
with the extension (“.tcl”) or be called (“tclIndex”.)
Each element of the initial access path list will be assigned a token that will be set in
the child auto_path and the first element of that list will be set as the tcl_library for
that child.
If the access path argument is not given or is the empty list, the default behavior is to
let the child access the same packages as the parent has access to (Or to be more precise:
only packages written in Tcl (which by definition cannot be dangerous as they run in the
child interpreter) and C extensions that provides a _SafeInit entry point). For that
purpose, the parent's auto_path will be used to construct the child access path. In order
that the child successfully loads the Tcl library files (which includes the auto-loading
mechanism itself) the tcl_library will be added or moved to the first position if
necessary, in the child access path, so the child tcl_library will be the same as the
parent's (its real path will still be invisible to the child though). In order that auto-
loading works the same for the child and the parent in this by default case, the first-
level sub directories of each directory in the parent auto_path will also be added (if not
already included) to the child access path. You can always specify a more restrictive
path for which sub directories will never be searched by explicitly specifying your
directory list with the -accessPath flag instead of relying on this default mechanism.
When the accessPath is changed after the first creation or initialization (i.e. through
interpConfigure -accessPath list), an auto_reset is automatically evaluated in the safe
interpreter to synchronize its auto_index with the new token list.
SEE ALSO
interp(3tcl), library(3tcl), load(3tcl), package(3tcl), source(3tcl), unknown(3tcl)
KEYWORDS
alias, auto-loading, auto_mkindex, load, parent interpreter, safe interpreter, child
interpreter, source