audo
/

Retrieval-based-Voice-Conversion-WebUI

Model card Files Files and versions Community

Retrieval-based-Voice-Conversion-WebUI / runtime /tcl /tcl8.6 /safe.tcl

camenduru

thanks to RVC-Project ❤

ef99749 over 1 year ago

raw

history blame contribute delete

33.4 kB

	# safe.tcl --
	#
	# This file provide a safe loading/sourcing mechanism for safe interpreters.
	# It implements a virtual path mecanism to hide the real pathnames from the
	# slave. It runs in a master interpreter and sets up data structure and
	# aliases that will be invoked when used from a slave interpreter.
	#
	# See the safe.n man page for details.
	#
	# Copyright (c) 1996-1997 Sun Microsystems, Inc.
	#
	# See the file "license.terms" for information on usage and redistribution of
	# this file, and for a DISCLAIMER OF ALL WARRANTIES.

	#
	# The implementation is based on namespaces. These naming conventions are
	# followed:
	# Private procs starts with uppercase.
	# Public procs are exported and starts with lowercase
	#

	# Needed utilities package
	package require opt 0.4.1

	# Create the safe namespace
	namespace eval ::safe {
	# Exported API:
	namespace export interpCreate interpInit interpConfigure interpDelete \
	interpAddToAccessPath interpFindInAccessPath setLogCmd
	}

	# Helper function to resolve the dual way of specifying staticsok (either
	# by -noStatics or -statics 0)
	proc ::safe::InterpStatics {} {
	foreach v {Args statics noStatics} {
	upvar $v $v
	}
	set flag [::tcl::OptProcArgGiven -noStatics]
	if {$flag && (!$noStatics == !$statics)
	&& ([::tcl::OptProcArgGiven -statics])} {
	return -code error\
	"conflicting values given for -statics and -noStatics"
	}
	if {$flag} {
	return [expr {!$noStatics}]
	} else {
	return $statics
	}
	}

	# Helper function to resolve the dual way of specifying nested loading
	# (either by -nestedLoadOk or -nested 1)
	proc ::safe::InterpNested {} {
	foreach v {Args nested nestedLoadOk} {
	upvar $v $v
	}
	set flag [::tcl::OptProcArgGiven -nestedLoadOk]
	# note that the test here is the opposite of the "InterpStatics" one
	# (it is not -noNested... because of the wanted default value)
	if {$flag && (!$nestedLoadOk != !$nested)
	&& ([::tcl::OptProcArgGiven -nested])} {
	return -code error\
	"conflicting values given for -nested and -nestedLoadOk"
	}
	if {$flag} {
	# another difference with "InterpStatics"
	return $nestedLoadOk
	} else {
	return $nested
	}
	}

	####
	#
	# API entry points that needs argument parsing :
	#
	####

	# Interface/entry point function and front end for "Create"
	proc ::safe::interpCreate {args} {
	set Args [::tcl::OptKeyParse ::safe::interpCreate $args]
	InterpCreate $slave $accessPath \
	[InterpStatics] [InterpNested] $deleteHook
	}

	proc ::safe::interpInit {args} {
	set Args [::tcl::OptKeyParse ::safe::interpIC $args]
	if {![::interp exists $slave]} {
	return -code error "\"$slave\" is not an interpreter"
	}
	InterpInit $slave $accessPath \
	[InterpStatics] [InterpNested] $deleteHook
	}

	# Check that the given slave is "one of us"
	proc ::safe::CheckInterp {slave} {
	namespace upvar ::safe S$slave state
	if {![info exists state] \|\| ![::interp exists $slave]} {
	return -code error \
	"\"$slave\" is not an interpreter managed by ::safe::"
	}
	}

	# Interface/entry point function and front end for "Configure". This code
	# is awfully pedestrian because it would need more coupling and support
	# between the way we store the configuration values in safe::interp's and
	# the Opt package. Obviously we would like an OptConfigure to avoid
	# duplicating all this code everywhere.
	# -> TODO (the app should share or access easily the program/value stored
	# by opt)

	# This is even more complicated by the boolean flags with no values that
	# we had the bad idea to support for the sake of user simplicity in
	# create/init but which makes life hard in configure...
	# So this will be hopefully written and some integrated with opt1.0
	# (hopefully for tcl8.1 ?)
	proc ::safe::interpConfigure {args} {
	switch [llength $args] {
	1 {
	# If we have exactly 1 argument the semantic is to return all
	# the current configuration. We still call OptKeyParse though
	# we know that "slave" is our given argument because it also
	# checks for the "-help" option.
	set Args [::tcl::OptKeyParse ::safe::interpIC $args]
	CheckInterp $slave
	namespace upvar ::safe S$slave state

	return [join [list \
	[list -accessPath $state(access_path)] \
	[list -statics $state(staticsok)] \
	[list -nested $state(nestedok)] \
	[list -deleteHook $state(cleanupHook)]]]
	}
	2 {
	# If we have exactly 2 arguments the semantic is a "configure
	# get"
	lassign $args slave arg

	# get the flag sub program (we 'know' about Opt's internal
	# representation of data)
	set desc [lindex [::tcl::OptKeyGetDesc ::safe::interpIC] 2]
	set hits [::tcl::OptHits desc $arg]
	if {$hits > 1} {
	return -code error [::tcl::OptAmbigous $desc $arg]
	} elseif {$hits == 0} {
	return -code error [::tcl::OptFlagUsage $desc $arg]
	}
	CheckInterp $slave
	namespace upvar ::safe S$slave state

	set item [::tcl::OptCurDesc $desc]
	set name [::tcl::OptName $item]
	switch -exact -- $name {
	-accessPath {
	return [list -accessPath $state(access_path)]
	}
	-statics {
	return [list -statics $state(staticsok)]
	}
	-nested {
	return [list -nested $state(nestedok)]
	}
	-deleteHook {
	return [list -deleteHook $state(cleanupHook)]
	}
	-noStatics {
	# it is most probably a set in fact but we would need
	# then to jump to the set part and it is not sure
	# that it is a set action that the user want, so force
	# it to use the unambigous -statics ?value? instead:
	return -code error\
	"ambigous query (get or set -noStatics ?)\
	use -statics instead"
	}
	-nestedLoadOk {
	return -code error\
	"ambigous query (get or set -nestedLoadOk ?)\
	use -nested instead"
	}
	default {
	return -code error "unknown flag $name (bug)"
	}
	}
	}
	default {
	# Otherwise we want to parse the arguments like init and
	# create did
	set Args [::tcl::OptKeyParse ::safe::interpIC $args]
	CheckInterp $slave
	namespace upvar ::safe S$slave state

	# Get the current (and not the default) values of whatever has
	# not been given:
	if {![::tcl::OptProcArgGiven -accessPath]} {
	set doreset 1
	set accessPath $state(access_path)
	} else {
	set doreset 0
	}
	if {
	![::tcl::OptProcArgGiven -statics]
	&& ![::tcl::OptProcArgGiven -noStatics]
	} then {
	set statics $state(staticsok)
	} else {
	set statics [InterpStatics]
	}
	if {
	[::tcl::OptProcArgGiven -nested] \|\|
	[::tcl::OptProcArgGiven -nestedLoadOk]
	} then {
	set nested [InterpNested]
	} else {
	set nested $state(nestedok)
	}
	if {![::tcl::OptProcArgGiven -deleteHook]} {
	set deleteHook $state(cleanupHook)
	}
	# we can now reconfigure :
	InterpSetConfig $slave $accessPath $statics $nested $deleteHook
	# auto_reset the slave (to completly synch the new access_path)
	if {$doreset} {
	if {[catch {::interp eval $slave {auto_reset}} msg]} {
	Log $slave "auto_reset failed: $msg"
	} else {
	Log $slave "successful auto_reset" NOTICE
	}
	}
	}
	}
	}

	####
	#
	# Functions that actually implements the exported APIs
	#
	####

	#
	# safe::InterpCreate : doing the real job
	#
	# This procedure creates a safe slave and initializes it with the safe
	# base aliases.
	# NB: slave name must be simple alphanumeric string, no spaces, no (), no
	# {},... {because the state array is stored as part of the name}
	#
	# Returns the slave name.
	#
	# Optional Arguments :
	# + slave name : if empty, generated name will be used
	# + access_path: path list controlling where load/source can occur,
	# if empty: the master auto_path will be used.
	# + staticsok : flag, if 0 :no static package can be loaded (load {} Xxx)
	# if 1 :static packages are ok.
	# + nestedok: flag, if 0 :no loading to sub-sub interps (load xx xx sub)
	# if 1 : multiple levels are ok.

	# use the full name and no indent so auto_mkIndex can find us
	proc ::safe::InterpCreate {
	slave
	access_path
	staticsok
	nestedok
	deletehook
	} {
	# Create the slave.
	if {$slave ne ""} {
	::interp create -safe $slave
	} else {
	# empty argument: generate slave name
	set slave [::interp create -safe]
	}
	Log $slave "Created" NOTICE

	# Initialize it. (returns slave name)
	InterpInit $slave $access_path $staticsok $nestedok $deletehook
	}

	#
	# InterpSetConfig (was setAccessPath) :
	# Sets up slave virtual auto_path and corresponding structure within
	# the master. Also sets the tcl_library in the slave to be the first
	# directory in the path.
	# NB: If you change the path after the slave has been initialized you
	# probably need to call "auto_reset" in the slave in order that it gets
	# the right auto_index() array values.

	proc ::safe::InterpSetConfig {slave access_path staticsok nestedok deletehook} {
	global auto_path

	# determine and store the access path if empty
	if {$access_path eq ""} {
	set access_path $auto_path

	# Make sure that tcl_library is in auto_path and at the first
	# position (needed by setAccessPath)
	set where [lsearch -exact $access_path [info library]]
	if {$where == -1} {
	# not found, add it.
	set access_path [linsert $access_path 0 [info library]]
	Log $slave "tcl_library was not in auto_path,\
	added it to slave's access_path" NOTICE
	} elseif {$where != 0} {
	# not first, move it first
	set access_path [linsert \
	[lreplace $access_path $where $where] \
	0 [info library]]
	Log $slave "tcl_libray was not in first in auto_path,\
	moved it to front of slave's access_path" NOTICE
	}

	# Add 1st level sub dirs (will searched by auto loading from tcl
	# code in the slave using glob and thus fail, so we add them here
	# so by default it works the same).
	set access_path [AddSubDirs $access_path]
	}

	Log $slave "Setting accessPath=($access_path) staticsok=$staticsok\
	nestedok=$nestedok deletehook=($deletehook)" NOTICE

	namespace upvar ::safe S$slave state

	# clear old autopath if it existed
	# build new one
	# Extend the access list with the paths used to look for Tcl Modules.
	# We save the virtual form separately as well, as syncing it with the
	# slave has to be defered until the necessary commands are present for
	# setup.

	set norm_access_path {}
	set slave_access_path {}
	set map_access_path {}
	set remap_access_path {}
	set slave_tm_path {}

	set i 0
	foreach dir $access_path {
	set token [PathToken $i]
	lappend slave_access_path $token
	lappend map_access_path $token $dir
	lappend remap_access_path $dir $token
	lappend norm_access_path [file normalize $dir]
	incr i
	}

	set morepaths [::tcl::tm::list]
	while {[llength $morepaths]} {
	set addpaths $morepaths
	set morepaths {}

	foreach dir $addpaths {
	# Prevent the addition of dirs on the tm list to the
	# result if they are already known.
	if {[dict exists $remap_access_path $dir]} {
	continue
	}

	set token [PathToken $i]
	lappend access_path $dir
	lappend slave_access_path $token
	lappend map_access_path $token $dir
	lappend remap_access_path $dir $token
	lappend norm_access_path [file normalize $dir]
	lappend slave_tm_path $token
	incr i

	# [Bug 2854929]
	# Recursively find deeper paths which may contain
	# modules. Required to handle modules with names like
	# 'platform::shell', which translate into
	# 'platform/shell-X.tm', i.e arbitrarily deep
	# subdirectories.
	lappend morepaths {}[glob -nocomplain -directory $dir -type d ]
	}
	}

	set state(access_path) $access_path
	set state(access_path,map) $map_access_path
	set state(access_path,remap) $remap_access_path
	set state(access_path,norm) $norm_access_path
	set state(access_path,slave) $slave_access_path
	set state(tm_path_slave) $slave_tm_path
	set state(staticsok) $staticsok
	set state(nestedok) $nestedok
	set state(cleanupHook) $deletehook

	SyncAccessPath $slave
	}

	#
	#
	# FindInAccessPath:
	# Search for a real directory and returns its virtual Id (including the
	# "$")
	proc ::safe::interpFindInAccessPath {slave path} {
	namespace upvar ::safe S$slave state

	if {![dict exists $state(access_path,remap) $path]} {
	return -code error "$path not found in access path $access_path"
	}

	return [dict get $state(access_path,remap) $path]
	}

	#
	# addToAccessPath:
	# add (if needed) a real directory to access path and return its
	# virtual token (including the "$").
	proc ::safe::interpAddToAccessPath {slave path} {
	# first check if the directory is already in there
	# (inlined interpFindInAccessPath).
	namespace upvar ::safe S$slave state

	if {[dict exists $state(access_path,remap) $path]} {
	return [dict get $state(access_path,remap) $path]
	}

	# new one, add it:
	set token [PathToken [llength $state(access_path)]]

	lappend state(access_path) $path
	lappend state(access_path,slave) $token
	lappend state(access_path,map) $token $path
	lappend state(access_path,remap) $path $token
	lappend state(access_path,norm) [file normalize $path]

	SyncAccessPath $slave
	return $token
	}

	# This procedure applies the initializations to an already existing
	# interpreter. It is useful when you want to install the safe base aliases
	# into a preexisting safe interpreter.
	proc ::safe::InterpInit {
	slave
	access_path
	staticsok
	nestedok
	deletehook
	} {
	# Configure will generate an access_path when access_path is empty.
	InterpSetConfig $slave $access_path $staticsok $nestedok $deletehook

	# NB we need to add [namespace current], aliases are always absolute
	# paths.

	# These aliases let the slave load files to define new commands
	# This alias lets the slave use the encoding names, convertfrom,
	# convertto, and system, but not "encoding system <name>" to set the
	# system encoding.
	# Handling Tcl Modules, we need a restricted form of Glob.
	# This alias interposes on the 'exit' command and cleanly terminates
	# the slave.

	foreach {command alias} {
	source AliasSource
	load AliasLoad
	encoding AliasEncoding
	exit interpDelete
	glob AliasGlob
	} {
	::interp alias $slave $command {} [namespace current]::$alias $slave
	}

	# This alias lets the slave have access to a subset of the 'file'
	# command functionality.

	::interp expose $slave file
	foreach subcommand {dirname extension rootname tail} {
	::interp alias $slave ::tcl::file::$subcommand {} \
	::safe::AliasFileSubcommand $slave $subcommand
	}
	foreach subcommand {
	atime attributes copy delete executable exists isdirectory isfile
	link lstat mtime mkdir nativename normalize owned readable readlink
	rename size stat tempfile type volumes writable
	} {
	::interp alias $slave ::tcl::file::$subcommand {} \
	::safe::BadSubcommand $slave file $subcommand
	}

	# Subcommands of info
	foreach {subcommand alias} {
	nameofexecutable AliasExeName
	} {
	::interp alias $slave ::tcl::info::$subcommand \
	{} [namespace current]::$alias $slave
	}

	# The allowed slave variables already have been set by Tcl_MakeSafe(3)

	# Source init.tcl and tm.tcl into the slave, to get auto_load and
	# other procedures defined:

	if {[catch {::interp eval $slave {
	source [file join $tcl_library init.tcl]
	}} msg opt]} {
	Log $slave "can't source init.tcl ($msg)"
	return -options $opt "can't source init.tcl into slave $slave ($msg)"
	}

	if {[catch {::interp eval $slave {
	source [file join $tcl_library tm.tcl]
	}} msg opt]} {
	Log $slave "can't source tm.tcl ($msg)"
	return -options $opt "can't source tm.tcl into slave $slave ($msg)"
	}

	# Sync the paths used to search for Tcl modules. This can be done only
	# now, after tm.tcl was loaded.
	namespace upvar ::safe S$slave state
	if {[llength $state(tm_path_slave)] > 0} {
	::interp eval $slave [list \
	::tcl::tm::add {*}[lreverse $state(tm_path_slave)]]
	}
	return $slave
	}

	# Add (only if needed, avoid duplicates) 1 level of sub directories to an
	# existing path list. Also removes non directories from the returned
	# list.
	proc ::safe::AddSubDirs {pathList} {
	set res {}
	foreach dir $pathList {
	if {[file isdirectory $dir]} {
	# check that we don't have it yet as a children of a previous
	# dir
	if {$dir ni $res} {
	lappend res $dir
	}
	foreach sub [glob -directory $dir -nocomplain *] {
	if {[file isdirectory $sub] && ($sub ni $res)} {
	# new sub dir, add it !
	lappend res $sub
	}
	}
	}
	}
	return $res
	}

	# This procedure deletes a safe slave managed by Safe Tcl and cleans up
	# associated state:

	proc ::safe::interpDelete {slave} {
	Log $slave "About to delete" NOTICE

	namespace upvar ::safe S$slave state

	# If the slave has a cleanup hook registered, call it. Check the
	# existance because we might be called to delete an interp which has
	# not been registered with us at all

	if {[info exists state(cleanupHook)]} {
	set hook $state(cleanupHook)
	if {[llength $hook]} {
	# remove the hook now, otherwise if the hook calls us somehow,
	# we'll loop
	unset state(cleanupHook)
	try {
	{*}$hook $slave
	} on error err {
	Log $slave "Delete hook error ($err)"
	}
	}
	}

	# Discard the global array of state associated with the slave, and
	# delete the interpreter.

	if {[info exists state]} {
	unset state
	}

	# if we have been called twice, the interp might have been deleted
	# already
	if {[::interp exists $slave]} {
	::interp delete $slave
	Log $slave "Deleted" NOTICE
	}

	return
	}

	# Set (or get) the logging mecanism

	proc ::safe::setLogCmd {args} {
	variable Log
	set la [llength $args]
	if {$la == 0} {
	return $Log
	} elseif {$la == 1} {
	set Log [lindex $args 0]
	} else {
	set Log $args
	}

	if {$Log eq ""} {
	# Disable logging completely. Calls to it will be compiled out
	# of all users.
	proc ::safe::Log {args} {}
	} else {
	# Activate logging, define proper command.

	proc ::safe::Log {slave msg {type ERROR}} {
	variable Log
	{*}$Log "$type for slave $slave : $msg"
	return
	}
	}
	}

	# ------------------- END OF PUBLIC METHODS ------------

	#
	# Sets the slave auto_path to the master recorded value. Also sets
	# tcl_library to the first token of the virtual path.
	#
	proc ::safe::SyncAccessPath {slave} {
	namespace upvar ::safe S$slave state

	set slave_access_path $state(access_path,slave)
	::interp eval $slave [list set auto_path $slave_access_path]

	Log $slave "auto_path in $slave has been set to $slave_access_path"\
	NOTICE

	# This code assumes that info library is the first element in the
	# list of auto_path's. See -> InterpSetConfig for the code which
	# ensures this condition.

	::interp eval $slave [list \
	set tcl_library [lindex $slave_access_path 0]]
	}

	# Returns the virtual token for directory number N.
	proc ::safe::PathToken {n} {
	# We need to have a ":" in the token string so [file join] on the
	# mac won't turn it into a relative path.
	return "\$p(:$n:)" ;# Form tested by case 7.2
	}

	#
	# translate virtual path into real path
	#
	proc ::safe::TranslatePath {slave path} {
	namespace upvar ::safe S$slave state

	# somehow strip the namespaces 'functionality' out (the danger is that
	# we would strip valid macintosh "../" queries... :
	if {[string match "::" $path] \|\| [string match ".." $path]} {
	return -code error "invalid characters in path $path"
	}

	# Use a cached map instead of computed local vars and subst.

	return [string map $state(access_path,map) $path]
	}

	# file name control (limit access to files/resources that should be a
	# valid tcl source file)
	proc ::safe::CheckFileName {slave file} {
	# This used to limit what can be sourced to ".tcl" and forbid files
	# with more than 1 dot and longer than 14 chars, but I changed that
	# for 8.4 as a safe interp has enough internal protection already to
	# allow sourcing anything. - hobbs

	if {![file exists $file]} {
	# don't tell the file path
	return -code error "no such file or directory"
	}

	if {![file readable $file]} {
	# don't tell the file path
	return -code error "not readable"
	}
	}

	# AliasFileSubcommand handles selected subcommands of [file] in safe
	# interpreters that are almost safe. In particular, it just acts to
	# prevent discovery of what home directories exist.

	proc ::safe::AliasFileSubcommand {slave subcommand name} {
	if {[string match ~* $name]} {
	set name ./$name
	}
	tailcall ::interp invokehidden $slave tcl:file:$subcommand $name
	}

	# AliasGlob is the target of the "glob" alias in safe interpreters.

	proc ::safe::AliasGlob {slave args} {
	Log $slave "GLOB ! $args" NOTICE
	set cmd {}
	set at 0
	array set got {
	-directory 0
	-nocomplain 0
	-join 0
	-tails 0
	-- 0
	}

	if {$::tcl_platform(platform) eq "windows"} {
	set dirPartRE {^(.)[\\/]([^\\/])$}
	} else {
	set dirPartRE {^(.)/([^/])$}
	}

	set dir {}
	set virtualdir {}

	while {$at < [llength $args]} {
	switch -glob -- [set opt [lindex $args $at]] {
	-nocomplain - -- - -join - -tails {
	lappend cmd $opt
	set got($opt) 1
	incr at
	}
	-types - -type {
	lappend cmd -types [lindex $args [incr at]]
	incr at
	}
	-directory {
	if {$got($opt)} {
	return -code error \
	{"-directory" cannot be used with "-path"}
	}
	set got($opt) 1
	set virtualdir [lindex $args [incr at]]
	incr at
	}
	pkgIndex.tcl {
	# Oops, this is globbing a subdirectory in regular package
	# search. That is not wanted. Abort, handler does catch
	# already (because glob was not defined before). See
	# package.tcl, lines 484ff in tclPkgUnknown.
	return -code error "unknown command glob"
	}
	-* {
	Log $slave "Safe base rejecting glob option '$opt'"
	return -code error "Safe base rejecting glob option '$opt'"
	}
	default {
	break
	}
	}
	if {$got(--)} break
	}

	# Get the real path from the virtual one and check that the path is in the
	# access path of that slave. Done after basic argument processing so that
	# we know if -nocomplain is set.
	if {$got(-directory)} {
	try {
	set dir [TranslatePath $slave $virtualdir]
	DirInAccessPath $slave $dir
	} on error msg {
	Log $slave $msg
	if {$got(-nocomplain)} return
	return -code error "permission denied"
	}
	lappend cmd -directory $dir
	}

	# Apply the -join semantics ourselves
	if {$got(-join)} {
	set args [lreplace $args $at end [join [lrange $args $at end] "/"]]
	}

	# Process remaining pattern arguments
	set firstPattern [llength $cmd]
	foreach opt [lrange $args $at end] {
	if {![regexp $dirPartRE $opt -> thedir thefile]} {
	set thedir .
	} elseif {[string match ~* $thedir]} {
	set thedir ./$thedir
	}
	if {$thedir eq "*" &&
	($thefile eq "pkgIndex.tcl" \|\| $thefile eq "*.tm")} {
	set mapped 0
	foreach d [glob -directory [TranslatePath $slave $virtualdir] \
	-types d -tails *] {
	catch {
	DirInAccessPath $slave \
	[TranslatePath $slave [file join $virtualdir $d]]
	lappend cmd [file join $d $thefile]
	set mapped 1
	}
	}
	if {$mapped} continue
	}
	try {
	DirInAccessPath $slave [TranslatePath $slave \
	[file join $virtualdir $thedir]]
	} on error msg {
	Log $slave $msg
	if {$got(-nocomplain)} continue
	return -code error "permission denied"
	}
	lappend cmd $opt
	}

	Log $slave "GLOB = $cmd" NOTICE

	if {$got(-nocomplain) && [llength $cmd] eq $firstPattern} {
	return
	}
	try {
	set entries [::interp invokehidden $slave glob {*}$cmd]
	} on error msg {
	Log $slave $msg
	return -code error "script error"
	}

	Log $slave "GLOB < $entries" NOTICE

	# Translate path back to what the slave should see.
	set res {}
	set l [string length $dir]
	foreach p $entries {
	if {[string equal -length $l $dir $p]} {
	set p [string replace $p 0 [expr {$l-1}] $virtualdir]
	}
	lappend res $p
	}

	Log $slave "GLOB > $res" NOTICE
	return $res
	}

	# AliasSource is the target of the "source" alias in safe interpreters.

	proc ::safe::AliasSource {slave args} {
	set argc [llength $args]
	# Extended for handling of Tcl Modules to allow not only "source
	# filename", but "source -encoding E filename" as well.
	if {[lindex $args 0] eq "-encoding"} {
	incr argc -2
	set encoding [lindex $args 1]
	set at 2
	if {$encoding eq "identity"} {
	Log $slave "attempt to use the identity encoding"
	return -code error "permission denied"
	}
	} else {
	set at 0
	set encoding {}
	}
	if {$argc != 1} {
	set msg "wrong # args: should be \"source ?-encoding E? fileName\""
	Log $slave "$msg ($args)"
	return -code error $msg
	}
	set file [lindex $args $at]

	# get the real path from the virtual one.
	if {[catch {
	set realfile [TranslatePath $slave $file]
	} msg]} {
	Log $slave $msg
	return -code error "permission denied"
	}

	# check that the path is in the access path of that slave
	if {[catch {
	FileInAccessPath $slave $realfile
	} msg]} {
	Log $slave $msg
	return -code error "permission denied"
	}

	# do the checks on the filename :
	if {[catch {
	CheckFileName $slave $realfile
	} msg]} {
	Log $slave "$realfile:$msg"
	return -code error $msg
	}

	# Passed all the tests, lets source it. Note that we do this all manually
	# because we want to control [info script] in the slave so information
	# doesn't leak so much. [Bug 2913625]
	set old [::interp eval $slave {info script}]
	set replacementMsg "script error"
	set code [catch {
	set f [open $realfile]
	fconfigure $f -eofchar \032
	if {$encoding ne ""} {
	fconfigure $f -encoding $encoding
	}
	set contents [read $f]
	close $f
	::interp eval $slave [list info script $file]
	} msg opt]
	if {$code == 0} {
	set code [catch {::interp eval $slave $contents} msg opt]
	set replacementMsg $msg
	}
	catch {interp eval $slave [list info script $old]}
	# Note that all non-errors are fine result codes from [source], so we must
	# take a little care to do it properly. [Bug 2923613]
	if {$code == 1} {
	Log $slave $msg
	return -code error $replacementMsg
	}
	return -code $code -options $opt $msg
	}

	# AliasLoad is the target of the "load" alias in safe interpreters.

	proc ::safe::AliasLoad {slave file args} {
	set argc [llength $args]
	if {$argc > 2} {
	set msg "load error: too many arguments"
	Log $slave "$msg ($argc) {$file $args}"
	return -code error $msg
	}

	# package name (can be empty if file is not).
	set package [lindex $args 0]

	namespace upvar ::safe S$slave state

	# Determine where to load. load use a relative interp path and {}
	# means self, so we can directly and safely use passed arg.
	set target [lindex $args 1]
	if {$target ne ""} {
	# we will try to load into a sub sub interp; check that we want to
	# authorize that.
	if {!$state(nestedok)} {
	Log $slave "loading to a sub interp (nestedok)\
	disabled (trying to load $package to $target)"
	return -code error "permission denied (nested load)"
	}
	}

	# Determine what kind of load is requested
	if {$file eq ""} {
	# static package loading
	if {$package eq ""} {
	set msg "load error: empty filename and no package name"
	Log $slave $msg
	return -code error $msg
	}
	if {!$state(staticsok)} {
	Log $slave "static packages loading disabled\
	(trying to load $package to $target)"
	return -code error "permission denied (static package)"
	}
	} else {
	# file loading

	# get the real path from the virtual one.
	try {
	set file [TranslatePath $slave $file]
	} on error msg {
	Log $slave $msg
	return -code error "permission denied"
	}

	# check the translated path
	try {
	FileInAccessPath $slave $file
	} on error msg {
	Log $slave $msg
	return -code error "permission denied (path)"
	}
	}

	try {
	return [::interp invokehidden $slave load $file $package $target]
	} on error msg {
	Log $slave $msg
	return -code error $msg
	}
	}

	# FileInAccessPath raises an error if the file is not found in the list of
	# directories contained in the (master side recorded) slave's access path.

	# the security here relies on "file dirname" answering the proper
	# result... needs checking ?
	proc ::safe::FileInAccessPath {slave file} {
	namespace upvar ::safe S$slave state
	set access_path $state(access_path)

	if {[file isdirectory $file]} {
	return -code error "\"$file\": is a directory"
	}
	set parent [file dirname $file]

	# Normalize paths for comparison since lsearch knows nothing of
	# potential pathname anomalies.
	set norm_parent [file normalize $parent]

	namespace upvar ::safe S$slave state
	if {$norm_parent ni $state(access_path,norm)} {
	return -code error "\"$file\": not in access_path"
	}
	}

	proc ::safe::DirInAccessPath {slave dir} {
	namespace upvar ::safe S$slave state
	set access_path $state(access_path)

	if {[file isfile $dir]} {
	return -code error "\"$dir\": is a file"
	}

	# Normalize paths for comparison since lsearch knows nothing of
	# potential pathname anomalies.
	set norm_dir [file normalize $dir]

	namespace upvar ::safe S$slave state
	if {$norm_dir ni $state(access_path,norm)} {
	return -code error "\"$dir\": not in access_path"
	}
	}

	# This procedure is used to report an attempt to use an unsafe member of an
	# ensemble command.

	proc ::safe::BadSubcommand {slave command subcommand args} {
	set msg "not allowed to invoke subcommand $subcommand of $command"
	Log $slave $msg
	return -code error -errorcode {TCL SAFE SUBCOMMAND} $msg
	}

	# AliasEncoding is the target of the "encoding" alias in safe interpreters.

	proc ::safe::AliasEncoding {slave option args} {
	# Note that [encoding dirs] is not supported in safe slaves at all
	set subcommands {convertfrom convertto names system}
	try {
	set option [tcl::prefix match -error [list -level 1 -errorcode \
	[list TCL LOOKUP INDEX option $option]] $subcommands $option]
	# Special case: [encoding system] ok, but [encoding system foo] not
	if {$option eq "system" && [llength $args]} {
	return -code error -errorcode {TCL WRONGARGS} \
	"wrong # args: should be \"encoding system\""
	}
	} on error {msg options} {
	Log $slave $msg
	return -options $options $msg
	}
	tailcall ::interp invokehidden $slave encoding $option {*}$args
	}

	# Various minor hiding of platform features. [Bug 2913625]

	proc ::safe::AliasExeName {slave} {
	return ""
	}

	proc ::safe::Setup {} {
	####
	#
	# Setup the arguments parsing
	#
	####

	# Share the descriptions
	set temp [::tcl::OptKeyRegister {
	{-accessPath -list {} "access path for the slave"}
	{-noStatics "prevent loading of statically linked pkgs"}
	{-statics true "loading of statically linked pkgs"}
	{-nestedLoadOk "allow nested loading"}
	{-nested false "nested loading"}
	{-deleteHook -script {} "delete hook"}
	}]

	# create case (slave is optional)
	::tcl::OptKeyRegister {
	{?slave? -name {} "name of the slave (optional)"}
	} ::safe::interpCreate

	# adding the flags sub programs to the command program (relying on Opt's
	# internal implementation details)
	lappend ::tcl::OptDesc(::safe::interpCreate) $::tcl::OptDesc($temp)

	# init and configure (slave is needed)
	::tcl::OptKeyRegister {
	{slave -name {} "name of the slave"}
	} ::safe::interpIC

	# adding the flags sub programs to the command program (relying on Opt's
	# internal implementation details)
	lappend ::tcl::OptDesc(::safe::interpIC) $::tcl::OptDesc($temp)

	# temp not needed anymore
	::tcl::OptKeyDelete $temp

	####
	#
	# Default: No logging.
	#
	####

	setLogCmd {}

	# Log eventually.
	# To enable error logging, set Log to {puts stderr} for instance,
	# via setLogCmd.
	return
	}

	namespace eval ::safe {
	# internal variables

	# Log command, set via 'setLogCmd'. Logging is disabled when empty.
	variable Log {}

	# The package maintains a state array per slave interp under its
	# control. The name of this array is S<interp-name>. This array is
	# brought into scope where needed, using 'namespace upvar'. The S
	# prefix is used to avoid that a slave interp called "Log" smashes
	# the "Log" variable.
	#
	# The array's elements are:
	#
	# access_path : List of paths accessible to the slave.
	# access_path,norm : Ditto, in normalized form.
	# access_path,slave : Ditto, as the path tokens as seen by the slave.
	# access_path,map : dict ( token -> path )
	# access_path,remap : dict ( path -> token )
	# tm_path_slave : List of TM root directories, as tokens seen by the slave.
	# staticsok : Value of option -statics
	# nestedok : Value of option -nested
	# cleanupHook : Value of option -deleteHook
	}

	::safe::Setup