Spaces:
Running
Running
| # safe.tcl -- | |
| # | |
| # This file provide a safe loading/sourcing mechanism for safe interpreters. | |
| # It implements a virtual path mecanism to hide the real pathnames from the | |
| # slave. It runs in a master interpreter and sets up data structure and | |
| # aliases that will be invoked when used from a slave interpreter. | |
| # | |
| # See the safe.n man page for details. | |
| # | |
| # Copyright (c) 1996-1997 Sun Microsystems, Inc. | |
| # | |
| # See the file "license.terms" for information on usage and redistribution of | |
| # this file, and for a DISCLAIMER OF ALL WARRANTIES. | |
| # | |
| # The implementation is based on namespaces. These naming conventions are | |
| # followed: | |
| # Private procs starts with uppercase. | |
| # Public procs are exported and starts with lowercase | |
| # | |
| # Needed utilities package | |
| package require opt 0.4.1 | |
| # Create the safe namespace | |
| namespace eval ::safe { | |
| # Exported API: | |
| namespace export interpCreate interpInit interpConfigure interpDelete \ | |
| interpAddToAccessPath interpFindInAccessPath setLogCmd | |
| } | |
| # Helper function to resolve the dual way of specifying staticsok (either | |
| # by -noStatics or -statics 0) | |
| proc ::safe::InterpStatics {} { | |
| foreach v {Args statics noStatics} { | |
| upvar $v $v | |
| } | |
| set flag [::tcl::OptProcArgGiven -noStatics] | |
| if {$flag && (!$noStatics == !$statics) | |
| && ([::tcl::OptProcArgGiven -statics])} { | |
| return -code error\ | |
| "conflicting values given for -statics and -noStatics" | |
| } | |
| if {$flag} { | |
| return [expr {!$noStatics}] | |
| } else { | |
| return $statics | |
| } | |
| } | |
| # Helper function to resolve the dual way of specifying nested loading | |
| # (either by -nestedLoadOk or -nested 1) | |
| proc ::safe::InterpNested {} { | |
| foreach v {Args nested nestedLoadOk} { | |
| upvar $v $v | |
| } | |
| set flag [::tcl::OptProcArgGiven -nestedLoadOk] | |
| # note that the test here is the opposite of the "InterpStatics" one | |
| # (it is not -noNested... because of the wanted default value) | |
| if {$flag && (!$nestedLoadOk != !$nested) | |
| && ([::tcl::OptProcArgGiven -nested])} { | |
| return -code error\ | |
| "conflicting values given for -nested and -nestedLoadOk" | |
| } | |
| if {$flag} { | |
| # another difference with "InterpStatics" | |
| return $nestedLoadOk | |
| } else { | |
| return $nested | |
| } | |
| } | |
| #### | |
| # | |
| # API entry points that needs argument parsing : | |
| # | |
| #### | |
| # Interface/entry point function and front end for "Create" | |
| proc ::safe::interpCreate {args} { | |
| set Args [::tcl::OptKeyParse ::safe::interpCreate $args] | |
| InterpCreate $slave $accessPath \ | |
| [InterpStatics] [InterpNested] $deleteHook | |
| } | |
| proc ::safe::interpInit {args} { | |
| set Args [::tcl::OptKeyParse ::safe::interpIC $args] | |
| if {![::interp exists $slave]} { | |
| return -code error "\"$slave\" is not an interpreter" | |
| } | |
| InterpInit $slave $accessPath \ | |
| [InterpStatics] [InterpNested] $deleteHook | |
| } | |
| # Check that the given slave is "one of us" | |
| proc ::safe::CheckInterp {slave} { | |
| namespace upvar ::safe S$slave state | |
| if {![info exists state] || ![::interp exists $slave]} { | |
| return -code error \ | |
| "\"$slave\" is not an interpreter managed by ::safe::" | |
| } | |
| } | |
| # Interface/entry point function and front end for "Configure". This code | |
| # is awfully pedestrian because it would need more coupling and support | |
| # between the way we store the configuration values in safe::interp's and | |
| # the Opt package. Obviously we would like an OptConfigure to avoid | |
| # duplicating all this code everywhere. | |
| # -> TODO (the app should share or access easily the program/value stored | |
| # by opt) | |
| # This is even more complicated by the boolean flags with no values that | |
| # we had the bad idea to support for the sake of user simplicity in | |
| # create/init but which makes life hard in configure... | |
| # So this will be hopefully written and some integrated with opt1.0 | |
| # (hopefully for tcl8.1 ?) | |
| proc ::safe::interpConfigure {args} { | |
| switch [llength $args] { | |
| 1 { | |
| # If we have exactly 1 argument the semantic is to return all | |
| # the current configuration. We still call OptKeyParse though | |
| # we know that "slave" is our given argument because it also | |
| # checks for the "-help" option. | |
| set Args [::tcl::OptKeyParse ::safe::interpIC $args] | |
| CheckInterp $slave | |
| namespace upvar ::safe S$slave state | |
| return [join [list \ | |
| [list -accessPath $state(access_path)] \ | |
| [list -statics $state(staticsok)] \ | |
| [list -nested $state(nestedok)] \ | |
| [list -deleteHook $state(cleanupHook)]]] | |
| } | |
| 2 { | |
| # If we have exactly 2 arguments the semantic is a "configure | |
| # get" | |
| lassign $args slave arg | |
| # get the flag sub program (we 'know' about Opt's internal | |
| # representation of data) | |
| set desc [lindex [::tcl::OptKeyGetDesc ::safe::interpIC] 2] | |
| set hits [::tcl::OptHits desc $arg] | |
| if {$hits > 1} { | |
| return -code error [::tcl::OptAmbigous $desc $arg] | |
| } elseif {$hits == 0} { | |
| return -code error [::tcl::OptFlagUsage $desc $arg] | |
| } | |
| CheckInterp $slave | |
| namespace upvar ::safe S$slave state | |
| set item [::tcl::OptCurDesc $desc] | |
| set name [::tcl::OptName $item] | |
| switch -exact -- $name { | |
| -accessPath { | |
| return [list -accessPath $state(access_path)] | |
| } | |
| -statics { | |
| return [list -statics $state(staticsok)] | |
| } | |
| -nested { | |
| return [list -nested $state(nestedok)] | |
| } | |
| -deleteHook { | |
| return [list -deleteHook $state(cleanupHook)] | |
| } | |
| -noStatics { | |
| # it is most probably a set in fact but we would need | |
| # then to jump to the set part and it is not *sure* | |
| # that it is a set action that the user want, so force | |
| # it to use the unambigous -statics ?value? instead: | |
| return -code error\ | |
| "ambigous query (get or set -noStatics ?)\ | |
| use -statics instead" | |
| } | |
| -nestedLoadOk { | |
| return -code error\ | |
| "ambigous query (get or set -nestedLoadOk ?)\ | |
| use -nested instead" | |
| } | |
| default { | |
| return -code error "unknown flag $name (bug)" | |
| } | |
| } | |
| } | |
| default { | |
| # Otherwise we want to parse the arguments like init and | |
| # create did | |
| set Args [::tcl::OptKeyParse ::safe::interpIC $args] | |
| CheckInterp $slave | |
| namespace upvar ::safe S$slave state | |
| # Get the current (and not the default) values of whatever has | |
| # not been given: | |
| if {![::tcl::OptProcArgGiven -accessPath]} { | |
| set doreset 1 | |
| set accessPath $state(access_path) | |
| } else { | |
| set doreset 0 | |
| } | |
| if { | |
| ![::tcl::OptProcArgGiven -statics] | |
| && ![::tcl::OptProcArgGiven -noStatics] | |
| } then { | |
| set statics $state(staticsok) | |
| } else { | |
| set statics [InterpStatics] | |
| } | |
| if { | |
| [::tcl::OptProcArgGiven -nested] || | |
| [::tcl::OptProcArgGiven -nestedLoadOk] | |
| } then { | |
| set nested [InterpNested] | |
| } else { | |
| set nested $state(nestedok) | |
| } | |
| if {![::tcl::OptProcArgGiven -deleteHook]} { | |
| set deleteHook $state(cleanupHook) | |
| } | |
| # we can now reconfigure : | |
| InterpSetConfig $slave $accessPath $statics $nested $deleteHook | |
| # auto_reset the slave (to completly synch the new access_path) | |
| if {$doreset} { | |
| if {[catch {::interp eval $slave {auto_reset}} msg]} { | |
| Log $slave "auto_reset failed: $msg" | |
| } else { | |
| Log $slave "successful auto_reset" NOTICE | |
| } | |
| } | |
| } | |
| } | |
| } | |
| #### | |
| # | |
| # Functions that actually implements the exported APIs | |
| # | |
| #### | |
| # | |
| # safe::InterpCreate : doing the real job | |
| # | |
| # This procedure creates a safe slave and initializes it with the safe | |
| # base aliases. | |
| # NB: slave name must be simple alphanumeric string, no spaces, no (), no | |
| # {},... {because the state array is stored as part of the name} | |
| # | |
| # Returns the slave name. | |
| # | |
| # Optional Arguments : | |
| # + slave name : if empty, generated name will be used | |
| # + access_path: path list controlling where load/source can occur, | |
| # if empty: the master auto_path will be used. | |
| # + staticsok : flag, if 0 :no static package can be loaded (load {} Xxx) | |
| # if 1 :static packages are ok. | |
| # + nestedok: flag, if 0 :no loading to sub-sub interps (load xx xx sub) | |
| # if 1 : multiple levels are ok. | |
| # use the full name and no indent so auto_mkIndex can find us | |
| proc ::safe::InterpCreate { | |
| slave | |
| access_path | |
| staticsok | |
| nestedok | |
| deletehook | |
| } { | |
| # Create the slave. | |
| if {$slave ne ""} { | |
| ::interp create -safe $slave | |
| } else { | |
| # empty argument: generate slave name | |
| set slave [::interp create -safe] | |
| } | |
| Log $slave "Created" NOTICE | |
| # Initialize it. (returns slave name) | |
| InterpInit $slave $access_path $staticsok $nestedok $deletehook | |
| } | |
| # | |
| # InterpSetConfig (was setAccessPath) : | |
| # Sets up slave virtual auto_path and corresponding structure within | |
| # the master. Also sets the tcl_library in the slave to be the first | |
| # directory in the path. | |
| # NB: If you change the path after the slave has been initialized you | |
| # probably need to call "auto_reset" in the slave in order that it gets | |
| # the right auto_index() array values. | |
| proc ::safe::InterpSetConfig {slave access_path staticsok nestedok deletehook} { | |
| global auto_path | |
| # determine and store the access path if empty | |
| if {$access_path eq ""} { | |
| set access_path $auto_path | |
| # Make sure that tcl_library is in auto_path and at the first | |
| # position (needed by setAccessPath) | |
| set where [lsearch -exact $access_path [info library]] | |
| if {$where == -1} { | |
| # not found, add it. | |
| set access_path [linsert $access_path 0 [info library]] | |
| Log $slave "tcl_library was not in auto_path,\ | |
| added it to slave's access_path" NOTICE | |
| } elseif {$where != 0} { | |
| # not first, move it first | |
| set access_path [linsert \ | |
| [lreplace $access_path $where $where] \ | |
| 0 [info library]] | |
| Log $slave "tcl_libray was not in first in auto_path,\ | |
| moved it to front of slave's access_path" NOTICE | |
| } | |
| # Add 1st level sub dirs (will searched by auto loading from tcl | |
| # code in the slave using glob and thus fail, so we add them here | |
| # so by default it works the same). | |
| set access_path [AddSubDirs $access_path] | |
| } | |
| Log $slave "Setting accessPath=($access_path) staticsok=$staticsok\ | |
| nestedok=$nestedok deletehook=($deletehook)" NOTICE | |
| namespace upvar ::safe S$slave state | |
| # clear old autopath if it existed | |
| # build new one | |
| # Extend the access list with the paths used to look for Tcl Modules. | |
| # We save the virtual form separately as well, as syncing it with the | |
| # slave has to be defered until the necessary commands are present for | |
| # setup. | |
| set norm_access_path {} | |
| set slave_access_path {} | |
| set map_access_path {} | |
| set remap_access_path {} | |
| set slave_tm_path {} | |
| set i 0 | |
| foreach dir $access_path { | |
| set token [PathToken $i] | |
| lappend slave_access_path $token | |
| lappend map_access_path $token $dir | |
| lappend remap_access_path $dir $token | |
| lappend norm_access_path [file normalize $dir] | |
| incr i | |
| } | |
| set morepaths [::tcl::tm::list] | |
| while {[llength $morepaths]} { | |
| set addpaths $morepaths | |
| set morepaths {} | |
| foreach dir $addpaths { | |
| # Prevent the addition of dirs on the tm list to the | |
| # result if they are already known. | |
| if {[dict exists $remap_access_path $dir]} { | |
| continue | |
| } | |
| set token [PathToken $i] | |
| lappend access_path $dir | |
| lappend slave_access_path $token | |
| lappend map_access_path $token $dir | |
| lappend remap_access_path $dir $token | |
| lappend norm_access_path [file normalize $dir] | |
| lappend slave_tm_path $token | |
| incr i | |
| # [Bug 2854929] | |
| # Recursively find deeper paths which may contain | |
| # modules. Required to handle modules with names like | |
| # 'platform::shell', which translate into | |
| # 'platform/shell-X.tm', i.e arbitrarily deep | |
| # subdirectories. | |
| lappend morepaths {*}[glob -nocomplain -directory $dir -type d *] | |
| } | |
| } | |
| set state(access_path) $access_path | |
| set state(access_path,map) $map_access_path | |
| set state(access_path,remap) $remap_access_path | |
| set state(access_path,norm) $norm_access_path | |
| set state(access_path,slave) $slave_access_path | |
| set state(tm_path_slave) $slave_tm_path | |
| set state(staticsok) $staticsok | |
| set state(nestedok) $nestedok | |
| set state(cleanupHook) $deletehook | |
| SyncAccessPath $slave | |
| } | |
| # | |
| # | |
| # FindInAccessPath: | |
| # Search for a real directory and returns its virtual Id (including the | |
| # "$") | |
| proc ::safe::interpFindInAccessPath {slave path} { | |
| namespace upvar ::safe S$slave state | |
| if {![dict exists $state(access_path,remap) $path]} { | |
| return -code error "$path not found in access path $access_path" | |
| } | |
| return [dict get $state(access_path,remap) $path] | |
| } | |
| # | |
| # addToAccessPath: | |
| # add (if needed) a real directory to access path and return its | |
| # virtual token (including the "$"). | |
| proc ::safe::interpAddToAccessPath {slave path} { | |
| # first check if the directory is already in there | |
| # (inlined interpFindInAccessPath). | |
| namespace upvar ::safe S$slave state | |
| if {[dict exists $state(access_path,remap) $path]} { | |
| return [dict get $state(access_path,remap) $path] | |
| } | |
| # new one, add it: | |
| set token [PathToken [llength $state(access_path)]] | |
| lappend state(access_path) $path | |
| lappend state(access_path,slave) $token | |
| lappend state(access_path,map) $token $path | |
| lappend state(access_path,remap) $path $token | |
| lappend state(access_path,norm) [file normalize $path] | |
| SyncAccessPath $slave | |
| return $token | |
| } | |
| # This procedure applies the initializations to an already existing | |
| # interpreter. It is useful when you want to install the safe base aliases | |
| # into a preexisting safe interpreter. | |
| proc ::safe::InterpInit { | |
| slave | |
| access_path | |
| staticsok | |
| nestedok | |
| deletehook | |
| } { | |
| # Configure will generate an access_path when access_path is empty. | |
| InterpSetConfig $slave $access_path $staticsok $nestedok $deletehook | |
| # NB we need to add [namespace current], aliases are always absolute | |
| # paths. | |
| # These aliases let the slave load files to define new commands | |
| # This alias lets the slave use the encoding names, convertfrom, | |
| # convertto, and system, but not "encoding system <name>" to set the | |
| # system encoding. | |
| # Handling Tcl Modules, we need a restricted form of Glob. | |
| # This alias interposes on the 'exit' command and cleanly terminates | |
| # the slave. | |
| foreach {command alias} { | |
| source AliasSource | |
| load AliasLoad | |
| encoding AliasEncoding | |
| exit interpDelete | |
| glob AliasGlob | |
| } { | |
| ::interp alias $slave $command {} [namespace current]::$alias $slave | |
| } | |
| # This alias lets the slave have access to a subset of the 'file' | |
| # command functionality. | |
| ::interp expose $slave file | |
| foreach subcommand {dirname extension rootname tail} { | |
| ::interp alias $slave ::tcl::file::$subcommand {} \ | |
| ::safe::AliasFileSubcommand $slave $subcommand | |
| } | |
| foreach subcommand { | |
| atime attributes copy delete executable exists isdirectory isfile | |
| link lstat mtime mkdir nativename normalize owned readable readlink | |
| rename size stat tempfile type volumes writable | |
| } { | |
| ::interp alias $slave ::tcl::file::$subcommand {} \ | |
| ::safe::BadSubcommand $slave file $subcommand | |
| } | |
| # Subcommands of info | |
| foreach {subcommand alias} { | |
| nameofexecutable AliasExeName | |
| } { | |
| ::interp alias $slave ::tcl::info::$subcommand \ | |
| {} [namespace current]::$alias $slave | |
| } | |
| # The allowed slave variables already have been set by Tcl_MakeSafe(3) | |
| # Source init.tcl and tm.tcl into the slave, to get auto_load and | |
| # other procedures defined: | |
| if {[catch {::interp eval $slave { | |
| source [file join $tcl_library init.tcl] | |
| }} msg opt]} { | |
| Log $slave "can't source init.tcl ($msg)" | |
| return -options $opt "can't source init.tcl into slave $slave ($msg)" | |
| } | |
| if {[catch {::interp eval $slave { | |
| source [file join $tcl_library tm.tcl] | |
| }} msg opt]} { | |
| Log $slave "can't source tm.tcl ($msg)" | |
| return -options $opt "can't source tm.tcl into slave $slave ($msg)" | |
| } | |
| # Sync the paths used to search for Tcl modules. This can be done only | |
| # now, after tm.tcl was loaded. | |
| namespace upvar ::safe S$slave state | |
| if {[llength $state(tm_path_slave)] > 0} { | |
| ::interp eval $slave [list \ | |
| ::tcl::tm::add {*}[lreverse $state(tm_path_slave)]] | |
| } | |
| return $slave | |
| } | |
| # Add (only if needed, avoid duplicates) 1 level of sub directories to an | |
| # existing path list. Also removes non directories from the returned | |
| # list. | |
| proc ::safe::AddSubDirs {pathList} { | |
| set res {} | |
| foreach dir $pathList { | |
| if {[file isdirectory $dir]} { | |
| # check that we don't have it yet as a children of a previous | |
| # dir | |
| if {$dir ni $res} { | |
| lappend res $dir | |
| } | |
| foreach sub [glob -directory $dir -nocomplain *] { | |
| if {[file isdirectory $sub] && ($sub ni $res)} { | |
| # new sub dir, add it ! | |
| lappend res $sub | |
| } | |
| } | |
| } | |
| } | |
| return $res | |
| } | |
| # This procedure deletes a safe slave managed by Safe Tcl and cleans up | |
| # associated state: | |
| proc ::safe::interpDelete {slave} { | |
| Log $slave "About to delete" NOTICE | |
| namespace upvar ::safe S$slave state | |
| # If the slave has a cleanup hook registered, call it. Check the | |
| # existance because we might be called to delete an interp which has | |
| # not been registered with us at all | |
| if {[info exists state(cleanupHook)]} { | |
| set hook $state(cleanupHook) | |
| if {[llength $hook]} { | |
| # remove the hook now, otherwise if the hook calls us somehow, | |
| # we'll loop | |
| unset state(cleanupHook) | |
| try { | |
| {*}$hook $slave | |
| } on error err { | |
| Log $slave "Delete hook error ($err)" | |
| } | |
| } | |
| } | |
| # Discard the global array of state associated with the slave, and | |
| # delete the interpreter. | |
| if {[info exists state]} { | |
| unset state | |
| } | |
| # if we have been called twice, the interp might have been deleted | |
| # already | |
| if {[::interp exists $slave]} { | |
| ::interp delete $slave | |
| Log $slave "Deleted" NOTICE | |
| } | |
| return | |
| } | |
| # Set (or get) the logging mecanism | |
| proc ::safe::setLogCmd {args} { | |
| variable Log | |
| set la [llength $args] | |
| if {$la == 0} { | |
| return $Log | |
| } elseif {$la == 1} { | |
| set Log [lindex $args 0] | |
| } else { | |
| set Log $args | |
| } | |
| if {$Log eq ""} { | |
| # Disable logging completely. Calls to it will be compiled out | |
| # of all users. | |
| proc ::safe::Log {args} {} | |
| } else { | |
| # Activate logging, define proper command. | |
| proc ::safe::Log {slave msg {type ERROR}} { | |
| variable Log | |
| {*}$Log "$type for slave $slave : $msg" | |
| return | |
| } | |
| } | |
| } | |
| # ------------------- END OF PUBLIC METHODS ------------ | |
| # | |
| # Sets the slave auto_path to the master recorded value. Also sets | |
| # tcl_library to the first token of the virtual path. | |
| # | |
| proc ::safe::SyncAccessPath {slave} { | |
| namespace upvar ::safe S$slave state | |
| set slave_access_path $state(access_path,slave) | |
| ::interp eval $slave [list set auto_path $slave_access_path] | |
| Log $slave "auto_path in $slave has been set to $slave_access_path"\ | |
| NOTICE | |
| # This code assumes that info library is the first element in the | |
| # list of auto_path's. See -> InterpSetConfig for the code which | |
| # ensures this condition. | |
| ::interp eval $slave [list \ | |
| set tcl_library [lindex $slave_access_path 0]] | |
| } | |
| # Returns the virtual token for directory number N. | |
| proc ::safe::PathToken {n} { | |
| # We need to have a ":" in the token string so [file join] on the | |
| # mac won't turn it into a relative path. | |
| return "\$p(:$n:)" ;# Form tested by case 7.2 | |
| } | |
| # | |
| # translate virtual path into real path | |
| # | |
| proc ::safe::TranslatePath {slave path} { | |
| namespace upvar ::safe S$slave state | |
| # somehow strip the namespaces 'functionality' out (the danger is that | |
| # we would strip valid macintosh "../" queries... : | |
| if {[string match "*::*" $path] || [string match "*..*" $path]} { | |
| return -code error "invalid characters in path $path" | |
| } | |
| # Use a cached map instead of computed local vars and subst. | |
| return [string map $state(access_path,map) $path] | |
| } | |
| # file name control (limit access to files/resources that should be a | |
| # valid tcl source file) | |
| proc ::safe::CheckFileName {slave file} { | |
| # This used to limit what can be sourced to ".tcl" and forbid files | |
| # with more than 1 dot and longer than 14 chars, but I changed that | |
| # for 8.4 as a safe interp has enough internal protection already to | |
| # allow sourcing anything. - hobbs | |
| if {![file exists $file]} { | |
| # don't tell the file path | |
| return -code error "no such file or directory" | |
| } | |
| if {![file readable $file]} { | |
| # don't tell the file path | |
| return -code error "not readable" | |
| } | |
| } | |
| # AliasFileSubcommand handles selected subcommands of [file] in safe | |
| # interpreters that are *almost* safe. In particular, it just acts to | |
| # prevent discovery of what home directories exist. | |
| proc ::safe::AliasFileSubcommand {slave subcommand name} { | |
| if {[string match ~* $name]} { | |
| set name ./$name | |
| } | |
| tailcall ::interp invokehidden $slave tcl:file:$subcommand $name | |
| } | |
| # AliasGlob is the target of the "glob" alias in safe interpreters. | |
| proc ::safe::AliasGlob {slave args} { | |
| Log $slave "GLOB ! $args" NOTICE | |
| set cmd {} | |
| set at 0 | |
| array set got { | |
| -directory 0 | |
| -nocomplain 0 | |
| -join 0 | |
| -tails 0 | |
| -- 0 | |
| } | |
| if {$::tcl_platform(platform) eq "windows"} { | |
| set dirPartRE {^(.*)[\\/]([^\\/]*)$} | |
| } else { | |
| set dirPartRE {^(.*)/([^/]*)$} | |
| } | |
| set dir {} | |
| set virtualdir {} | |
| while {$at < [llength $args]} { | |
| switch -glob -- [set opt [lindex $args $at]] { | |
| -nocomplain - -- - -join - -tails { | |
| lappend cmd $opt | |
| set got($opt) 1 | |
| incr at | |
| } | |
| -types - -type { | |
| lappend cmd -types [lindex $args [incr at]] | |
| incr at | |
| } | |
| -directory { | |
| if {$got($opt)} { | |
| return -code error \ | |
| {"-directory" cannot be used with "-path"} | |
| } | |
| set got($opt) 1 | |
| set virtualdir [lindex $args [incr at]] | |
| incr at | |
| } | |
| pkgIndex.tcl { | |
| # Oops, this is globbing a subdirectory in regular package | |
| # search. That is not wanted. Abort, handler does catch | |
| # already (because glob was not defined before). See | |
| # package.tcl, lines 484ff in tclPkgUnknown. | |
| return -code error "unknown command glob" | |
| } | |
| -* { | |
| Log $slave "Safe base rejecting glob option '$opt'" | |
| return -code error "Safe base rejecting glob option '$opt'" | |
| } | |
| default { | |
| break | |
| } | |
| } | |
| if {$got(--)} break | |
| } | |
| # Get the real path from the virtual one and check that the path is in the | |
| # access path of that slave. Done after basic argument processing so that | |
| # we know if -nocomplain is set. | |
| if {$got(-directory)} { | |
| try { | |
| set dir [TranslatePath $slave $virtualdir] | |
| DirInAccessPath $slave $dir | |
| } on error msg { | |
| Log $slave $msg | |
| if {$got(-nocomplain)} return | |
| return -code error "permission denied" | |
| } | |
| lappend cmd -directory $dir | |
| } | |
| # Apply the -join semantics ourselves | |
| if {$got(-join)} { | |
| set args [lreplace $args $at end [join [lrange $args $at end] "/"]] | |
| } | |
| # Process remaining pattern arguments | |
| set firstPattern [llength $cmd] | |
| foreach opt [lrange $args $at end] { | |
| if {![regexp $dirPartRE $opt -> thedir thefile]} { | |
| set thedir . | |
| } elseif {[string match ~* $thedir]} { | |
| set thedir ./$thedir | |
| } | |
| if {$thedir eq "*" && | |
| ($thefile eq "pkgIndex.tcl" || $thefile eq "*.tm")} { | |
| set mapped 0 | |
| foreach d [glob -directory [TranslatePath $slave $virtualdir] \ | |
| -types d -tails *] { | |
| catch { | |
| DirInAccessPath $slave \ | |
| [TranslatePath $slave [file join $virtualdir $d]] | |
| lappend cmd [file join $d $thefile] | |
| set mapped 1 | |
| } | |
| } | |
| if {$mapped} continue | |
| } | |
| try { | |
| DirInAccessPath $slave [TranslatePath $slave \ | |
| [file join $virtualdir $thedir]] | |
| } on error msg { | |
| Log $slave $msg | |
| if {$got(-nocomplain)} continue | |
| return -code error "permission denied" | |
| } | |
| lappend cmd $opt | |
| } | |
| Log $slave "GLOB = $cmd" NOTICE | |
| if {$got(-nocomplain) && [llength $cmd] eq $firstPattern} { | |
| return | |
| } | |
| try { | |
| set entries [::interp invokehidden $slave glob {*}$cmd] | |
| } on error msg { | |
| Log $slave $msg | |
| return -code error "script error" | |
| } | |
| Log $slave "GLOB < $entries" NOTICE | |
| # Translate path back to what the slave should see. | |
| set res {} | |
| set l [string length $dir] | |
| foreach p $entries { | |
| if {[string equal -length $l $dir $p]} { | |
| set p [string replace $p 0 [expr {$l-1}] $virtualdir] | |
| } | |
| lappend res $p | |
| } | |
| Log $slave "GLOB > $res" NOTICE | |
| return $res | |
| } | |
| # AliasSource is the target of the "source" alias in safe interpreters. | |
| proc ::safe::AliasSource {slave args} { | |
| set argc [llength $args] | |
| # Extended for handling of Tcl Modules to allow not only "source | |
| # filename", but "source -encoding E filename" as well. | |
| if {[lindex $args 0] eq "-encoding"} { | |
| incr argc -2 | |
| set encoding [lindex $args 1] | |
| set at 2 | |
| if {$encoding eq "identity"} { | |
| Log $slave "attempt to use the identity encoding" | |
| return -code error "permission denied" | |
| } | |
| } else { | |
| set at 0 | |
| set encoding {} | |
| } | |
| if {$argc != 1} { | |
| set msg "wrong # args: should be \"source ?-encoding E? fileName\"" | |
| Log $slave "$msg ($args)" | |
| return -code error $msg | |
| } | |
| set file [lindex $args $at] | |
| # get the real path from the virtual one. | |
| if {[catch { | |
| set realfile [TranslatePath $slave $file] | |
| } msg]} { | |
| Log $slave $msg | |
| return -code error "permission denied" | |
| } | |
| # check that the path is in the access path of that slave | |
| if {[catch { | |
| FileInAccessPath $slave $realfile | |
| } msg]} { | |
| Log $slave $msg | |
| return -code error "permission denied" | |
| } | |
| # do the checks on the filename : | |
| if {[catch { | |
| CheckFileName $slave $realfile | |
| } msg]} { | |
| Log $slave "$realfile:$msg" | |
| return -code error $msg | |
| } | |
| # Passed all the tests, lets source it. Note that we do this all manually | |
| # because we want to control [info script] in the slave so information | |
| # doesn't leak so much. [Bug 2913625] | |
| set old [::interp eval $slave {info script}] | |
| set replacementMsg "script error" | |
| set code [catch { | |
| set f [open $realfile] | |
| fconfigure $f -eofchar \032 | |
| if {$encoding ne ""} { | |
| fconfigure $f -encoding $encoding | |
| } | |
| set contents [read $f] | |
| close $f | |
| ::interp eval $slave [list info script $file] | |
| } msg opt] | |
| if {$code == 0} { | |
| set code [catch {::interp eval $slave $contents} msg opt] | |
| set replacementMsg $msg | |
| } | |
| catch {interp eval $slave [list info script $old]} | |
| # Note that all non-errors are fine result codes from [source], so we must | |
| # take a little care to do it properly. [Bug 2923613] | |
| if {$code == 1} { | |
| Log $slave $msg | |
| return -code error $replacementMsg | |
| } | |
| return -code $code -options $opt $msg | |
| } | |
| # AliasLoad is the target of the "load" alias in safe interpreters. | |
| proc ::safe::AliasLoad {slave file args} { | |
| set argc [llength $args] | |
| if {$argc > 2} { | |
| set msg "load error: too many arguments" | |
| Log $slave "$msg ($argc) {$file $args}" | |
| return -code error $msg | |
| } | |
| # package name (can be empty if file is not). | |
| set package [lindex $args 0] | |
| namespace upvar ::safe S$slave state | |
| # Determine where to load. load use a relative interp path and {} | |
| # means self, so we can directly and safely use passed arg. | |
| set target [lindex $args 1] | |
| if {$target ne ""} { | |
| # we will try to load into a sub sub interp; check that we want to | |
| # authorize that. | |
| if {!$state(nestedok)} { | |
| Log $slave "loading to a sub interp (nestedok)\ | |
| disabled (trying to load $package to $target)" | |
| return -code error "permission denied (nested load)" | |
| } | |
| } | |
| # Determine what kind of load is requested | |
| if {$file eq ""} { | |
| # static package loading | |
| if {$package eq ""} { | |
| set msg "load error: empty filename and no package name" | |
| Log $slave $msg | |
| return -code error $msg | |
| } | |
| if {!$state(staticsok)} { | |
| Log $slave "static packages loading disabled\ | |
| (trying to load $package to $target)" | |
| return -code error "permission denied (static package)" | |
| } | |
| } else { | |
| # file loading | |
| # get the real path from the virtual one. | |
| try { | |
| set file [TranslatePath $slave $file] | |
| } on error msg { | |
| Log $slave $msg | |
| return -code error "permission denied" | |
| } | |
| # check the translated path | |
| try { | |
| FileInAccessPath $slave $file | |
| } on error msg { | |
| Log $slave $msg | |
| return -code error "permission denied (path)" | |
| } | |
| } | |
| try { | |
| return [::interp invokehidden $slave load $file $package $target] | |
| } on error msg { | |
| Log $slave $msg | |
| return -code error $msg | |
| } | |
| } | |
| # FileInAccessPath raises an error if the file is not found in the list of | |
| # directories contained in the (master side recorded) slave's access path. | |
| # the security here relies on "file dirname" answering the proper | |
| # result... needs checking ? | |
| proc ::safe::FileInAccessPath {slave file} { | |
| namespace upvar ::safe S$slave state | |
| set access_path $state(access_path) | |
| if {[file isdirectory $file]} { | |
| return -code error "\"$file\": is a directory" | |
| } | |
| set parent [file dirname $file] | |
| # Normalize paths for comparison since lsearch knows nothing of | |
| # potential pathname anomalies. | |
| set norm_parent [file normalize $parent] | |
| namespace upvar ::safe S$slave state | |
| if {$norm_parent ni $state(access_path,norm)} { | |
| return -code error "\"$file\": not in access_path" | |
| } | |
| } | |
| proc ::safe::DirInAccessPath {slave dir} { | |
| namespace upvar ::safe S$slave state | |
| set access_path $state(access_path) | |
| if {[file isfile $dir]} { | |
| return -code error "\"$dir\": is a file" | |
| } | |
| # Normalize paths for comparison since lsearch knows nothing of | |
| # potential pathname anomalies. | |
| set norm_dir [file normalize $dir] | |
| namespace upvar ::safe S$slave state | |
| if {$norm_dir ni $state(access_path,norm)} { | |
| return -code error "\"$dir\": not in access_path" | |
| } | |
| } | |
| # This procedure is used to report an attempt to use an unsafe member of an | |
| # ensemble command. | |
| proc ::safe::BadSubcommand {slave command subcommand args} { | |
| set msg "not allowed to invoke subcommand $subcommand of $command" | |
| Log $slave $msg | |
| return -code error -errorcode {TCL SAFE SUBCOMMAND} $msg | |
| } | |
| # AliasEncoding is the target of the "encoding" alias in safe interpreters. | |
| proc ::safe::AliasEncoding {slave option args} { | |
| # Note that [encoding dirs] is not supported in safe slaves at all | |
| set subcommands {convertfrom convertto names system} | |
| try { | |
| set option [tcl::prefix match -error [list -level 1 -errorcode \ | |
| [list TCL LOOKUP INDEX option $option]] $subcommands $option] | |
| # Special case: [encoding system] ok, but [encoding system foo] not | |
| if {$option eq "system" && [llength $args]} { | |
| return -code error -errorcode {TCL WRONGARGS} \ | |
| "wrong # args: should be \"encoding system\"" | |
| } | |
| } on error {msg options} { | |
| Log $slave $msg | |
| return -options $options $msg | |
| } | |
| tailcall ::interp invokehidden $slave encoding $option {*}$args | |
| } | |
| # Various minor hiding of platform features. [Bug 2913625] | |
| proc ::safe::AliasExeName {slave} { | |
| return "" | |
| } | |
| proc ::safe::Setup {} { | |
| #### | |
| # | |
| # Setup the arguments parsing | |
| # | |
| #### | |
| # Share the descriptions | |
| set temp [::tcl::OptKeyRegister { | |
| {-accessPath -list {} "access path for the slave"} | |
| {-noStatics "prevent loading of statically linked pkgs"} | |
| {-statics true "loading of statically linked pkgs"} | |
| {-nestedLoadOk "allow nested loading"} | |
| {-nested false "nested loading"} | |
| {-deleteHook -script {} "delete hook"} | |
| }] | |
| # create case (slave is optional) | |
| ::tcl::OptKeyRegister { | |
| {?slave? -name {} "name of the slave (optional)"} | |
| } ::safe::interpCreate | |
| # adding the flags sub programs to the command program (relying on Opt's | |
| # internal implementation details) | |
| lappend ::tcl::OptDesc(::safe::interpCreate) $::tcl::OptDesc($temp) | |
| # init and configure (slave is needed) | |
| ::tcl::OptKeyRegister { | |
| {slave -name {} "name of the slave"} | |
| } ::safe::interpIC | |
| # adding the flags sub programs to the command program (relying on Opt's | |
| # internal implementation details) | |
| lappend ::tcl::OptDesc(::safe::interpIC) $::tcl::OptDesc($temp) | |
| # temp not needed anymore | |
| ::tcl::OptKeyDelete $temp | |
| #### | |
| # | |
| # Default: No logging. | |
| # | |
| #### | |
| setLogCmd {} | |
| # Log eventually. | |
| # To enable error logging, set Log to {puts stderr} for instance, | |
| # via setLogCmd. | |
| return | |
| } | |
| namespace eval ::safe { | |
| # internal variables | |
| # Log command, set via 'setLogCmd'. Logging is disabled when empty. | |
| variable Log {} | |
| # The package maintains a state array per slave interp under its | |
| # control. The name of this array is S<interp-name>. This array is | |
| # brought into scope where needed, using 'namespace upvar'. The S | |
| # prefix is used to avoid that a slave interp called "Log" smashes | |
| # the "Log" variable. | |
| # | |
| # The array's elements are: | |
| # | |
| # access_path : List of paths accessible to the slave. | |
| # access_path,norm : Ditto, in normalized form. | |
| # access_path,slave : Ditto, as the path tokens as seen by the slave. | |
| # access_path,map : dict ( token -> path ) | |
| # access_path,remap : dict ( path -> token ) | |
| # tm_path_slave : List of TM root directories, as tokens seen by the slave. | |
| # staticsok : Value of option -statics | |
| # nestedok : Value of option -nested | |
| # cleanupHook : Value of option -deleteHook | |
| } | |
| ::safe::Setup | |