The Safe Base
An safe interpreter created with interp create -safe has no script library environment and no way to source scripts. Tcl provides a safe base that extends a raw safe interpreter with the ability to source scripts and packages, which are described in Chapter 12. The safe base also defines an exit alias that terminates the slave like the one in Example 19-7. The safe base is implemented as Tcl scripts that are part of the standard Tcl script library. Create an interpreter that uses the safe base with safe::interpCreate:
The safe base has source and load aliases that only access directories on an access path defined by the master interpreter. The master has complete control over what files can be loaded into a slave. In general, it would be all right to source any Tcl program into an untrusted interpreter. However, untrusted scripts might learn things from the error messages they get by sourcing arbitrary files. The safe base also has versions of the package and unknown commands that support the library facility. Table 19-3 lists the Tcl procedures in the safe base:
Table 19-3. The safe base master interface.
|safe::interpCreate ?slave? ?options?||Creates a safe interpreter and initialize the security policy mechanism.|
|safe::interpInit slave ?options?||Initializes a safe interpreter so it can use security policies.|
|safe::interpConfigure slave ?options?||Options are -accessPath pathlist, -nostatics, -deleteHook script, -nestedLoadOk.|
|safe::interpDelete slave||Deletes a safe interpreter.|
|safe::interpAddToAccessPath slave directory||Adds a directory to the slave's access path.|
|safe::interpFindInAccessPath||Maps from a directory to the token visible in the slave for that directory.|
|safe::setLogCmd ?cmd arg ... ?||Sets or queries the logging command used by the safe base.|
Table 19-4 lists the aliases defined in a safe interpreter by the safe base.
Table 19-4. The safe base slave aliases.
|source||Loads scripts from directories in the access path.|
|load||Loads binary extensions from the slaves access path.|
|file||Only the dirname, join, extension, root, tail, pathname, and split operations are allowed.|
|exit||Destroys the slave interpreter.|