Previous section   Next section

Practical Programming in Tcl & Tk, Third Edition
By Brent B. Welch

Table of Contents
Chapter 19.  Multiple Interpreters and Safe-Tcl

The Safe Base

An safe interpreter created with interp create -safe has no script library environment and no way to source scripts. Tcl provides a safe base that extends a raw safe interpreter with the ability to source scripts and packages, which are described in Chapter 12. The safe base also defines an exit alias that terminates the slave like the one in Example 19-7. The safe base is implemented as Tcl scripts that are part of the standard Tcl script library. Create an interpreter that uses the safe base with safe::interpCreate:

safe::interpCreate foo

The safe base has source and load aliases that only access directories on an access path defined by the master interpreter. The master has complete control over what files can be loaded into a slave. In general, it would be all right to source any Tcl program into an untrusted interpreter. However, untrusted scripts might learn things from the error messages they get by sourcing arbitrary files. The safe base also has versions of the package and unknown commands that support the library facility. Table 19-3 lists the Tcl procedures in the safe base:

Table 19-3. The safe base master interface.
safe::interpCreate ?slave? ?options?Creates a safe interpreter and initialize the security policy mechanism.
safe::interpInit slave ?options?Initializes a safe interpreter so it can use security policies.
safe::interpConfigure slave ?options?Options are -accessPath pathlist, -nostatics, -deleteHook script, -nestedLoadOk.
safe::interpDelete slaveDeletes a safe interpreter.
safe::interpAddToAccessPath slave directoryAdds a directory to the slave's access path.
safe::interpFindInAccessPathMaps from a directory to the token visible in the slave for that directory.
safe::setLogCmd ?cmd arg ... ?Sets or queries the logging command used by the safe base.

Table 19-4 lists the aliases defined in a safe interpreter by the safe base.

Table 19-4. The safe base slave aliases.
sourceLoads scripts from directories in the access path.
loadLoads binary extensions from the slaves access path.
fileOnly the dirname, join, extension, root, tail, pathname, and split operations are allowed.
exitDestroys the slave interpreter.

      Previous section   Next section