Commit | Line | Data |
---|---|---|
920dae64 AT |
1 | '\" |
2 | '\" Copyright (c) 1995-1996 Sun Microsystems, Inc. | |
3 | '\" | |
4 | '\" See the file "license.terms" for information on usage and redistribution | |
5 | '\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. | |
6 | '\" | |
7 | '\" RCS: @(#) $Id: safe.n,v 1.4.2.1 2004/10/27 14:23:58 dkf Exp $ | |
8 | '\" | |
9 | '\" The definitions below are for supplemental macros used in Tcl/Tk | |
10 | '\" manual entries. | |
11 | '\" | |
12 | '\" .AP type name in/out ?indent? | |
13 | '\" Start paragraph describing an argument to a library procedure. | |
14 | '\" type is type of argument (int, etc.), in/out is either "in", "out", | |
15 | '\" or "in/out" to describe whether procedure reads or modifies arg, | |
16 | '\" and indent is equivalent to second arg of .IP (shouldn't ever be | |
17 | '\" needed; use .AS below instead) | |
18 | '\" | |
19 | '\" .AS ?type? ?name? | |
20 | '\" Give maximum sizes of arguments for setting tab stops. Type and | |
21 | '\" name are examples of largest possible arguments that will be passed | |
22 | '\" to .AP later. If args are omitted, default tab stops are used. | |
23 | '\" | |
24 | '\" .BS | |
25 | '\" Start box enclosure. From here until next .BE, everything will be | |
26 | '\" enclosed in one large box. | |
27 | '\" | |
28 | '\" .BE | |
29 | '\" End of box enclosure. | |
30 | '\" | |
31 | '\" .CS | |
32 | '\" Begin code excerpt. | |
33 | '\" | |
34 | '\" .CE | |
35 | '\" End code excerpt. | |
36 | '\" | |
37 | '\" .VS ?version? ?br? | |
38 | '\" Begin vertical sidebar, for use in marking newly-changed parts | |
39 | '\" of man pages. The first argument is ignored and used for recording | |
40 | '\" the version when the .VS was added, so that the sidebars can be | |
41 | '\" found and removed when they reach a certain age. If another argument | |
42 | '\" is present, then a line break is forced before starting the sidebar. | |
43 | '\" | |
44 | '\" .VE | |
45 | '\" End of vertical sidebar. | |
46 | '\" | |
47 | '\" .DS | |
48 | '\" Begin an indented unfilled display. | |
49 | '\" | |
50 | '\" .DE | |
51 | '\" End of indented unfilled display. | |
52 | '\" | |
53 | '\" .SO | |
54 | '\" Start of list of standard options for a Tk widget. The | |
55 | '\" options follow on successive lines, in four columns separated | |
56 | '\" by tabs. | |
57 | '\" | |
58 | '\" .SE | |
59 | '\" End of list of standard options for a Tk widget. | |
60 | '\" | |
61 | '\" .OP cmdName dbName dbClass | |
62 | '\" Start of description of a specific option. cmdName gives the | |
63 | '\" option's name as specified in the class command, dbName gives | |
64 | '\" the option's name in the option database, and dbClass gives | |
65 | '\" the option's class in the option database. | |
66 | '\" | |
67 | '\" .UL arg1 arg2 | |
68 | '\" Print arg1 underlined, then print arg2 normally. | |
69 | '\" | |
70 | '\" RCS: @(#) $Id: man.macros,v 1.4 2000/08/25 06:18:32 ericm Exp $ | |
71 | '\" | |
72 | '\" # Set up traps and other miscellaneous stuff for Tcl/Tk man pages. | |
73 | .if t .wh -1.3i ^B | |
74 | .nr ^l \n(.l | |
75 | .ad b | |
76 | '\" # Start an argument description | |
77 | .de AP | |
78 | .ie !"\\$4"" .TP \\$4 | |
79 | .el \{\ | |
80 | . ie !"\\$2"" .TP \\n()Cu | |
81 | . el .TP 15 | |
82 | .\} | |
83 | .ta \\n()Au \\n()Bu | |
84 | .ie !"\\$3"" \{\ | |
85 | \&\\$1 \\fI\\$2\\fP (\\$3) | |
86 | .\".b | |
87 | .\} | |
88 | .el \{\ | |
89 | .br | |
90 | .ie !"\\$2"" \{\ | |
91 | \&\\$1 \\fI\\$2\\fP | |
92 | .\} | |
93 | .el \{\ | |
94 | \&\\fI\\$1\\fP | |
95 | .\} | |
96 | .\} | |
97 | .. | |
98 | '\" # define tabbing values for .AP | |
99 | .de AS | |
100 | .nr )A 10n | |
101 | .if !"\\$1"" .nr )A \\w'\\$1'u+3n | |
102 | .nr )B \\n()Au+15n | |
103 | .\" | |
104 | .if !"\\$2"" .nr )B \\w'\\$2'u+\\n()Au+3n | |
105 | .nr )C \\n()Bu+\\w'(in/out)'u+2n | |
106 | .. | |
107 | .AS Tcl_Interp Tcl_CreateInterp in/out | |
108 | '\" # BS - start boxed text | |
109 | '\" # ^y = starting y location | |
110 | '\" # ^b = 1 | |
111 | .de BS | |
112 | .br | |
113 | .mk ^y | |
114 | .nr ^b 1u | |
115 | .if n .nf | |
116 | .if n .ti 0 | |
117 | .if n \l'\\n(.lu\(ul' | |
118 | .if n .fi | |
119 | .. | |
120 | '\" # BE - end boxed text (draw box now) | |
121 | .de BE | |
122 | .nf | |
123 | .ti 0 | |
124 | .mk ^t | |
125 | .ie n \l'\\n(^lu\(ul' | |
126 | .el \{\ | |
127 | .\" Draw four-sided box normally, but don't draw top of | |
128 | .\" box if the box started on an earlier page. | |
129 | .ie !\\n(^b-1 \{\ | |
130 | \h'-1.5n'\L'|\\n(^yu-1v'\l'\\n(^lu+3n\(ul'\L'\\n(^tu+1v-\\n(^yu'\l'|0u-1.5n\(ul' | |
131 | .\} | |
132 | .el \}\ | |
133 | \h'-1.5n'\L'|\\n(^yu-1v'\h'\\n(^lu+3n'\L'\\n(^tu+1v-\\n(^yu'\l'|0u-1.5n\(ul' | |
134 | .\} | |
135 | .\} | |
136 | .fi | |
137 | .br | |
138 | .nr ^b 0 | |
139 | .. | |
140 | '\" # VS - start vertical sidebar | |
141 | '\" # ^Y = starting y location | |
142 | '\" # ^v = 1 (for troff; for nroff this doesn't matter) | |
143 | .de VS | |
144 | .if !"\\$2"" .br | |
145 | .mk ^Y | |
146 | .ie n 'mc \s12\(br\s0 | |
147 | .el .nr ^v 1u | |
148 | .. | |
149 | '\" # VE - end of vertical sidebar | |
150 | .de VE | |
151 | .ie n 'mc | |
152 | .el \{\ | |
153 | .ev 2 | |
154 | .nf | |
155 | .ti 0 | |
156 | .mk ^t | |
157 | \h'|\\n(^lu+3n'\L'|\\n(^Yu-1v\(bv'\v'\\n(^tu+1v-\\n(^Yu'\h'-|\\n(^lu+3n' | |
158 | .sp -1 | |
159 | .fi | |
160 | .ev | |
161 | .\} | |
162 | .nr ^v 0 | |
163 | .. | |
164 | '\" # Special macro to handle page bottom: finish off current | |
165 | '\" # box/sidebar if in box/sidebar mode, then invoked standard | |
166 | '\" # page bottom macro. | |
167 | .de ^B | |
168 | .ev 2 | |
169 | 'ti 0 | |
170 | 'nf | |
171 | .mk ^t | |
172 | .if \\n(^b \{\ | |
173 | .\" Draw three-sided box if this is the box's first page, | |
174 | .\" draw two sides but no top otherwise. | |
175 | .ie !\\n(^b-1 \h'-1.5n'\L'|\\n(^yu-1v'\l'\\n(^lu+3n\(ul'\L'\\n(^tu+1v-\\n(^yu'\h'|0u'\c | |
176 | .el \h'-1.5n'\L'|\\n(^yu-1v'\h'\\n(^lu+3n'\L'\\n(^tu+1v-\\n(^yu'\h'|0u'\c | |
177 | .\} | |
178 | .if \\n(^v \{\ | |
179 | .nr ^x \\n(^tu+1v-\\n(^Yu | |
180 | \kx\h'-\\nxu'\h'|\\n(^lu+3n'\ky\L'-\\n(^xu'\v'\\n(^xu'\h'|0u'\c | |
181 | .\} | |
182 | .bp | |
183 | 'fi | |
184 | .ev | |
185 | .if \\n(^b \{\ | |
186 | .mk ^y | |
187 | .nr ^b 2 | |
188 | .\} | |
189 | .if \\n(^v \{\ | |
190 | .mk ^Y | |
191 | .\} | |
192 | .. | |
193 | '\" # DS - begin display | |
194 | .de DS | |
195 | .RS | |
196 | .nf | |
197 | .sp | |
198 | .. | |
199 | '\" # DE - end display | |
200 | .de DE | |
201 | .fi | |
202 | .RE | |
203 | .sp | |
204 | .. | |
205 | '\" # SO - start of list of standard options | |
206 | .de SO | |
207 | .SH "STANDARD OPTIONS" | |
208 | .LP | |
209 | .nf | |
210 | .ta 5.5c 11c | |
211 | .ft B | |
212 | .. | |
213 | '\" # SE - end of list of standard options | |
214 | .de SE | |
215 | .fi | |
216 | .ft R | |
217 | .LP | |
218 | See the \\fBoptions\\fR manual entry for details on the standard options. | |
219 | .. | |
220 | '\" # OP - start of full description for a single option | |
221 | .de OP | |
222 | .LP | |
223 | .nf | |
224 | .ta 4c | |
225 | Command-Line Name: \\fB\\$1\\fR | |
226 | Database Name: \\fB\\$2\\fR | |
227 | Database Class: \\fB\\$3\\fR | |
228 | .fi | |
229 | .IP | |
230 | .. | |
231 | '\" # CS - begin code excerpt | |
232 | .de CS | |
233 | .RS | |
234 | .nf | |
235 | .ta .25i .5i .75i 1i | |
236 | .. | |
237 | '\" # CE - end code excerpt | |
238 | .de CE | |
239 | .fi | |
240 | .RE | |
241 | .. | |
242 | .de UL | |
243 | \\$1\l'|0\(ul'\\$2 | |
244 | .. | |
245 | .TH "Safe Tcl" n 8.0 Tcl "Tcl Built-In Commands" | |
246 | .BS | |
247 | '\" Note: do not modify the .SH NAME line immediately below! | |
248 | .SH NAME | |
249 | Safe\ Base \- A mechanism for creating and manipulating safe interpreters. | |
250 | .SH SYNOPSIS | |
251 | \fB::safe::interpCreate\fR ?\fIslave\fR? ?\fIoptions...\fR? | |
252 | .sp | |
253 | \fB::safe::interpInit\fR \fIslave\fR ?\fIoptions...\fR? | |
254 | .sp | |
255 | \fB::safe::interpConfigure\fR \fIslave\fR ?\fIoptions...\fR? | |
256 | .sp | |
257 | \fB::safe::interpDelete\fR \fIslave\fR | |
258 | .sp | |
259 | \fB::safe::interpAddToAccessPath\fR \fIslave\fR \fIdirectory\fR | |
260 | .sp | |
261 | \fB::safe::interpFindInAccessPath\fR \fIslave\fR \fIdirectory\fR | |
262 | .sp | |
263 | \fB::safe::setLogCmd\fR ?\fIcmd arg...\fR? | |
264 | .SH OPTIONS | |
265 | .PP | |
266 | ?\fB\-accessPath\fR \fIpathList\fR? | |
267 | ?\fB\-statics\fR \fIboolean\fR? ?\fB\-noStatics\fR? | |
268 | ?\fB\-nested\fR \fIboolean\fR? ?\fB\-nestedLoadOk\fR? | |
269 | ?\fB\-deleteHook\fR \fIscript\fR? | |
270 | .BE | |
271 | ||
272 | .SH DESCRIPTION | |
273 | Safe Tcl is a mechanism for executing untrusted Tcl scripts | |
274 | safely and for providing mediated access by such scripts to | |
275 | potentially dangerous functionality. | |
276 | .PP | |
277 | The Safe Base ensures that untrusted Tcl scripts cannot harm the | |
278 | hosting application. | |
279 | The Safe Base prevents integrity and privacy attacks. Untrusted Tcl | |
280 | scripts are prevented from corrupting the state of the hosting | |
281 | application or computer. Untrusted scripts are also prevented from | |
282 | disclosing information stored on the hosting computer or in the | |
283 | hosting application to any party. | |
284 | .PP | |
285 | The Safe Base allows a master interpreter to create safe, restricted | |
286 | interpreters that contain a set of predefined aliases for the \fBsource\fR, | |
287 | \fBload\fR, \fBfile\fR, \fBencoding\fR, and \fBexit\fR commands and | |
288 | are able to use the auto-loading and package mechanisms. | |
289 | .PP | |
290 | No knowledge of the file system structure is leaked to the | |
291 | safe interpreter, because it has access only to a virtualized path | |
292 | containing tokens. When the safe interpreter requests to source a file, it | |
293 | uses the token in the virtual path as part of the file name to source; the | |
294 | master interpreter transparently | |
295 | translates the token into a real directory name and executes the | |
296 | requested operation (see the section \fBSECURITY\fR below for details). | |
297 | Different levels of security can be selected by using the optional flags | |
298 | of the commands described below. | |
299 | .PP | |
300 | All commands provided in the master interpreter by the Safe Base reside in | |
301 | the \fBsafe\fR namespace: | |
302 | ||
303 | .SH COMMANDS | |
304 | The following commands are provided in the master interpreter: | |
305 | .TP | |
306 | \fB::safe::interpCreate\fR ?\fIslave\fR? ?\fIoptions...\fR? | |
307 | Creates a safe interpreter, installs the aliases described in the section | |
308 | \fBALIASES\fR and initializes the auto-loading and package mechanism as | |
309 | specified by the supplied \fBoptions\fR. | |
310 | See the \fBOPTIONS\fR section below for a description of the | |
311 | optional arguments. | |
312 | If the \fIslave\fR argument is omitted, a name will be generated. | |
313 | \fB::safe::interpCreate\fR always returns the interpreter name. | |
314 | .TP | |
315 | \fB::safe::interpInit\fR \fIslave\fR ?\fIoptions...\fR? | |
316 | This command is similar to \fBinterpCreate\fR except it that does not | |
317 | create the safe interpreter. \fIslave\fR must have been created by some | |
318 | other means, like \fBinterp create \-safe\fR. | |
319 | .TP | |
320 | \fB::safe::interpConfigure\fR \fIslave\fR ?\fIoptions...\fR? | |
321 | If no \fIoptions\fR are given, returns the settings for all options for the | |
322 | named safe interpreter as a list of options and their current values | |
323 | for that \fIslave\fR. | |
324 | If a single additional argument is provided, | |
325 | it will return a list of 2 elements \fIname\fR and \fIvalue\fR where | |
326 | \fIname\fR is the full name of that option and \fIvalue\fR the current value | |
327 | for that option and the \fIslave\fR. | |
328 | If more than two additional arguments are provided, it will reconfigure the | |
329 | safe interpreter and change each and only the provided options. | |
330 | See the section on \fBOPTIONS\fR below for options description. | |
331 | Example of use: | |
332 | .RS | |
333 | .CS | |
334 | # Create a new interp with the same configuration as "$i0" : | |
335 | set i1 [eval safe::interpCreate [safe::interpConfigure $i0]] | |
336 | # Get the current deleteHook | |
337 | set dh [safe::interpConfigure $i0 \-del] | |
338 | # Change (only) the statics loading ok attribute of an interp | |
339 | # and its deleteHook (leaving the rest unchanged) : | |
340 | safe::interpConfigure $i0 \-delete {foo bar} \-statics 0 ; | |
341 | .CE | |
342 | .RE | |
343 | .TP | |
344 | \fB::safe::interpDelete\fR \fIslave\fR | |
345 | Deletes the safe interpreter and cleans up the corresponding | |
346 | master interpreter data structures. | |
347 | If a \fIdeleteHook\fR script was specified for this interpreter it is | |
348 | evaluated before the interpreter is deleted, with the name of the | |
349 | interpreter as an additional argument. | |
350 | .TP | |
351 | \fB::safe::interpFindInAccessPath\fR \fIslave\fR \fIdirectory\fR | |
352 | This command finds and returns the token for the real directory | |
353 | \fIdirectory\fR in the safe interpreter's current virtual access path. | |
354 | It generates an error if the directory is not found. | |
355 | Example of use: | |
356 | .RS | |
357 | .CS | |
358 | $slave eval [list set tk_library [::safe::interpFindInAccessPath $name $tk_library]] | |
359 | .CE | |
360 | .RE | |
361 | .TP | |
362 | \fB::safe::interpAddToAccessPath\fR \fIslave\fR \fIdirectory\fR | |
363 | This command adds \fIdirectory\fR to the virtual path maintained for the | |
364 | safe interpreter in the master, and returns the token that can be used in | |
365 | the safe interpreter to obtain access to files in that directory. | |
366 | If the directory is already in the virtual path, it only returns the token | |
367 | without adding the directory to the virtual path again. | |
368 | Example of use: | |
369 | .RS | |
370 | .CS | |
371 | $slave eval [list set tk_library [::safe::interpAddToAccessPath $name $tk_library]] | |
372 | .CE | |
373 | .RE | |
374 | .TP | |
375 | \fB::safe::setLogCmd\fR ?\fIcmd arg...\fR? | |
376 | This command installs a script that will be called when interesting | |
377 | life cycle events occur for a safe interpreter. | |
378 | When called with no arguments, it returns the currently installed script. | |
379 | When called with one argument, an empty string, the currently installed | |
380 | script is removed and logging is turned off. | |
381 | The script will be invoked with one additional argument, a string | |
382 | describing the event of interest. | |
383 | The main purpose is to help in debugging safe interpreters. | |
384 | Using this facility you can get complete error messages while the safe | |
385 | interpreter gets only generic error messages. | |
386 | This prevents a safe interpreter from seeing messages about failures | |
387 | and other events that might contain sensitive information such as real | |
388 | directory names. | |
389 | .RS | |
390 | Example of use: | |
391 | .CS | |
392 | ::safe::setLogCmd puts stderr | |
393 | .CE | |
394 | Below is the output of a sample session in which a safe interpreter | |
395 | attempted to source a file not found in its virtual access path. | |
396 | Note that the safe interpreter only received an error message saying that | |
397 | the file was not found: | |
398 | .CS | |
399 | NOTICE for slave interp10 : Created | |
400 | NOTICE for slave interp10 : Setting accessPath=(/foo/bar) staticsok=1 nestedok=0 deletehook=() | |
401 | NOTICE for slave interp10 : auto_path in interp10 has been set to {$p(:0:)} | |
402 | ERROR for slave interp10 : /foo/bar/init.tcl: no such file or directory | |
403 | .CE | |
404 | .RE | |
405 | ||
406 | .SH OPTIONS | |
407 | The following options are common to | |
408 | \fB::safe::interpCreate\fR, \fB::safe::interpInit\fR, | |
409 | and \fB::safe::interpConfigure\fR. | |
410 | Any option name can be abbreviated to its minimal | |
411 | non-ambiguous name. | |
412 | Option names are not case sensitive. | |
413 | .TP | |
414 | \fB\-accessPath\fR \fIdirectoryList\fR | |
415 | This option sets the list of directories from which the safe interpreter | |
416 | can \fBsource\fR and \fBload\fR files. | |
417 | If this option is not specified, or if it is given as the | |
418 | empty list, the safe interpreter will use the same directories as its | |
419 | master for auto-loading. | |
420 | See the section \fBSECURITY\fR below for more detail about virtual paths, | |
421 | tokens and access control. | |
422 | .TP | |
423 | \fB\-statics\fR \fIboolean\fR | |
424 | This option specifies if the safe interpreter will be allowed | |
425 | to load statically linked packages (like \fBload {} Tk\fR). | |
426 | The default value is \fBtrue\fR : | |
427 | safe interpreters are allowed to load statically linked packages. | |
428 | .TP | |
429 | \fB\-noStatics\fR | |
430 | This option is a convenience shortcut for \fB-statics false\fR and | |
431 | thus specifies that the safe interpreter will not be allowed | |
432 | to load statically linked packages. | |
433 | .TP | |
434 | \fB\-nested\fR \fIboolean\fR | |
435 | This option specifies if the safe interpreter will be allowed | |
436 | to load packages into its own sub-interpreters. | |
437 | The default value is \fBfalse\fR : | |
438 | safe interpreters are not allowed to load packages into | |
439 | their own sub-interpreters. | |
440 | .TP | |
441 | \fB\-nestedLoadOk\fR | |
442 | This option is a convenience shortcut for \fB-nested true\fR and | |
443 | thus specifies the safe interpreter will be allowed | |
444 | to load packages into its own sub-interpreters. | |
445 | .TP | |
446 | \fB\-deleteHook\fR \fIscript\fR | |
447 | When this option is given a non-empty \fIscript\fR, it will be | |
448 | evaluated in the master with the name of | |
449 | the safe interpreter as an additional argument | |
450 | just before actually deleting the safe interpreter. | |
451 | Giving an empty value removes any currently installed deletion hook | |
452 | script for that safe interpreter. | |
453 | The default value (\fB{}\fR) is not to have any deletion call back. | |
454 | .SH ALIASES | |
455 | The following aliases are provided in a safe interpreter: | |
456 | .TP | |
457 | \fBsource\fR \fIfileName\fR | |
458 | The requested file, a Tcl source file, is sourced into the safe interpreter | |
459 | if it is found. | |
460 | The \fBsource\fR alias can only source files from directories in | |
461 | the virtual path for the safe interpreter. The \fBsource\fR alias requires | |
462 | the safe interpreter to | |
463 | use one of the token names in its virtual path to denote the directory in | |
464 | which the file to be sourced can be found. | |
465 | See the section on \fBSECURITY\fR for more discussion of restrictions on | |
466 | valid filenames. | |
467 | .TP | |
468 | \fBload\fR \fIfileName\fR | |
469 | The requested file, a shared object file, is dynamically loaded into the | |
470 | safe interpreter if it is found. | |
471 | The filename must contain a token name mentioned in the virtual path for | |
472 | the safe interpreter for it to be found successfully. | |
473 | Additionally, the shared object file must contain a safe entry point; see | |
474 | the manual page for the \fBload\fR command for more details. | |
475 | .TP | |
476 | \fBfile\fR ?\fIsubCmd args...\fR? | |
477 | The \fBfile\fR alias provides access to a safe subset of the subcommands of | |
478 | the \fBfile\fR command; it allows only \fBdirname\fR, \fBjoin\fR, | |
479 | \fBextension\fR, \fBroot\fR, \fBtail\fR, \fBpathname\fR and \fBsplit\fR | |
480 | subcommands. For more details on what these subcommands do see the manual | |
481 | page for the \fBfile\fR command. | |
482 | .TP | |
483 | \fBencoding\fR ?\fIsubCmd args...\fR? | |
484 | The \fBencoding\fR alias provides access to a safe subset of the | |
485 | subcommands of the \fBencoding\fR command; it disallows setting of | |
486 | the system encoding, but allows all other subcommands including | |
487 | \fBsystem\fR to check the current encoding. | |
488 | .TP | |
489 | \fBexit\fR | |
490 | The calling interpreter is deleted and its computation is stopped, but the | |
491 | Tcl process in which this interpreter exists is not terminated. | |
492 | ||
493 | .SH SECURITY | |
494 | The Safe Base does not attempt to completely prevent annoyance and | |
495 | denial of service attacks. These forms of attack prevent the | |
496 | application or user from temporarily using the computer to perform | |
497 | useful work, for example by consuming all available CPU time or | |
498 | all available screen real estate. | |
499 | These attacks, while aggravating, are deemed to be of lesser importance | |
500 | in general than integrity and privacy attacks that the Safe Base | |
501 | is to prevent. | |
502 | .PP | |
503 | The commands available in a safe interpreter, in addition to | |
504 | the safe set as defined in \fBinterp\fR manual page, are mediated aliases | |
505 | for \fBsource\fR, \fBload\fR, \fBexit\fR, and safe subsets of | |
506 | \fBfile\fR and \fBencoding\fR. The safe interpreter can also auto-load | |
507 | code and it can request that packages be loaded. | |
508 | .PP | |
509 | Because some of these commands access the local file system, there is a | |
510 | potential for information leakage about its directory structure. | |
511 | To prevent this, commands that take file names as arguments in a safe | |
512 | interpreter use tokens instead of the real directory names. | |
513 | These tokens are translated to the real directory name while a request to, | |
514 | e.g., source a file is mediated by the master interpreter. | |
515 | This virtual path system is maintained in the master interpreter for each safe | |
516 | interpreter created by \fB::safe::interpCreate\fR or initialized by | |
517 | \fB::safe::interpInit\fR and | |
518 | the path maps tokens accessible in the safe interpreter into real path | |
519 | names on the local file system thus preventing safe interpreters | |
520 | from gaining knowledge about the | |
521 | structure of the file system of the host on which the interpreter is | |
522 | executing. | |
523 | The only valid file names arguments | |
524 | for the \fBsource\fR and \fBload\fR aliases provided to the slave | |
525 | are path in the form of | |
526 | \fB[file join \fR\fItoken filename\fR\fB]\fR (i.e. when using the | |
527 | native file path formats: \fItoken\fR\fB/\fR\fIfilename\fR | |
528 | on Unix, \fItoken\fR\fB\\\fIfilename\fR on Windows, | |
529 | and \fItoken\fR\fB:\fR\fIfilename\fR on the Mac), | |
530 | where \fItoken\fR is representing one of the directories | |
531 | of the \fIaccessPath\fR list and \fIfilename\fR is | |
532 | one file in that directory (no sub directories access are allowed). | |
533 | .PP | |
534 | When a token is used in a safe interpreter in a request to source or | |
535 | load a file, the token is checked and | |
536 | translated to a real path name and the file to be | |
537 | sourced or loaded is located on the file system. | |
538 | The safe interpreter never gains knowledge of the actual path name under | |
539 | which the file is stored on the file system. | |
540 | .PP | |
541 | To further prevent potential information leakage from sensitive files that | |
542 | are accidentally included in the set of files that can be sourced by a safe | |
543 | interpreter, the \fBsource\fR alias restricts access to files | |
544 | meeting the following constraints: the file name must | |
545 | fourteen characters or shorter, must not contain more than one dot ("\fB.\fR"), | |
546 | must end up with the extension \fB.tcl\fR or be called \fBtclIndex\fR. | |
547 | .PP | |
548 | Each element of the initial access path | |
549 | list will be assigned a token that will be set in | |
550 | the slave \fBauto_path\fR and the first element of that list will be set as | |
551 | the \fBtcl_library\fR for that slave. | |
552 | .PP | |
553 | If the access path argument is not given or is the empty list, | |
554 | the default behavior is to let the slave access the same packages | |
555 | as the master has access to (Or to be more precise: | |
556 | only packages written in Tcl (which by definition can't be dangerous | |
557 | as they run in the slave interpreter) and C extensions that | |
558 | provides a Safe_Init entry point). For that purpose, the master's | |
559 | \fBauto_path\fR will be used to construct the slave access path. | |
560 | In order that the slave successfully loads the Tcl library files | |
561 | (which includes the auto-loading mechanism itself) the \fBtcl_library\fR will be | |
562 | added or moved to the first position if necessary, in the | |
563 | slave access path, so the slave | |
564 | \fBtcl_library\fR will be the same as the master's (its real | |
565 | path will still be invisible to the slave though). | |
566 | In order that auto-loading works the same for the slave and | |
567 | the master in this by default case, the first-level | |
568 | sub directories of each directory in the master \fBauto_path\fR will | |
569 | also be added (if not already included) to the slave access path. | |
570 | You can always specify a more | |
571 | restrictive path for which sub directories will never be searched by | |
572 | explicitly specifying your directory list with the \fB\-accessPath\fR flag | |
573 | instead of relying on this default mechanism. | |
574 | .PP | |
575 | When the \fIaccessPath\fR is changed after the first creation or | |
576 | initialization (i.e. through \fBinterpConfigure -accessPath \fR\fIlist\fR), | |
577 | an \fBauto_reset\fR is automatically evaluated in the safe interpreter | |
578 | to synchronize its \fBauto_index\fR with the new token list. | |
579 | ||
580 | .SH "SEE ALSO" | |
581 | interp(n), library(n), load(n), package(n), source(n), unknown(n) | |
582 | ||
583 | .SH KEYWORDS | |
584 | alias, auto\-loading, auto_mkindex, load, master interpreter, safe | |
585 | interpreter, slave interpreter, source |