Practical Programming in Tcl & Tk, Third Edition By Brent B. Welch
Table of Contents
Chapter 19. Multiple Interpreters and Safe-Tcl
An safe interpreter created with interp create -safe has no script library environment and no way to source scripts. Tcl provides a safe base that extends a raw safe interpreter with the ability to source scripts and packages, which are described in Chapter 12. The safe base also defines an exit alias that terminates the slave like the one in Example 19-7. The safe base is implemented as Tcl scripts that are part of the standard Tcl script library. Create an interpreter that uses the safe base with safe::interpCreate:
safe::interpCreate foo
The safe base has source and load aliases that only access directories on an access path defined by the master interpreter. The master has complete control over what files can be loaded into a slave. In general, it would be all right to source any Tcl program into an untrusted interpreter. However, untrusted scripts might learn things from the error messages they get by sourcing arbitrary files. The safe base also has versions of the package and unknown commands that support the library facility. Table 19-3 lists the Tcl procedures in the safe base:
Table 19-3. The safe base master interface.
safe::interpCreate ?slave? ?options?
Creates a safe interpreter and initialize the security policy mechanism.
safe::interpInit slave ?options?
Initializes a safe interpreter so it can use security policies.
safe::interpConfigure slave?options?
Options are -accessPath pathlist, -nostatics, -deleteHook script, -nestedLoadOk.
safe::interpDelete slave
Deletes a safe interpreter.
safe::interpAddToAccessPath slave directory
Adds a directory to the slave's access path.
safe::interpFindInAccessPath
Maps from a directory to the token visible in the slave for that directory.
safe::setLogCmd ?cmd arg... ?
Sets or queries the logging command used by the safe base.
Table 19-4 lists the aliases defined in a safe interpreter by the safe base.
Table 19-4. The safe base slave aliases.
source
Loads scripts from directories in the access path.
load
Loads binary extensions from the slaves access path.
file
Only the dirname, join, extension, root, tail, pathname, and split operations are allowed.