Previous section   Next section

Practical Programming in Tcl & Tk, Third Edition
By Brent B. Welch

Table of Contents
Chapter 20.  Safe-Tk and the Browser Plugin

Tk in Child Interpreters

A child interpreter starts out with just the core Tcl commands. It does not include Tk or any other extensions that might be available to the parent interpreter. This is true whether or not the child interpreter is declared safe. You add extensions to child interpreters by using a form of the load command that specifies an interpreter:

load {} Tk child

Normally, load takes the name of the library file that contains the extension. In this case, the Tk package is a static package that is already linked into the program (e.g., wish or the plugin), so the file name is the empty string. The load command calls the Tk initialization procedure to register all the Tcl commands provided by Tk.

Embedding Tk Windows

By default, a slave interpreter that loads Tk gets a new top-level window. Wish supports a -use command line option that directs Tk to use an existing window as dot. You can use this to embed an application within another. For example, the following commands run a copy of Wish that uses the .embed toplevel as its main window:

toplevel .embed
exec wish -use [winfo id .embed] somescript.tcl &

More often embedding it is used with child interpreters. If the interpreter is not safe, you can set the argv and argc variables in the slave before loading Tk:

interp create trustedTk
interp eval trustedTk \
    [list set argv [list -use [winfo id .embed]]]
interp eval trustedTk [list set argc 2]
load {}Tk trustedTk

If the child interpreter is safe, then you cannot set argv and argc directly. The easiest way to pass -use to a safe interpreter is with the safe::loadTk command:

safe::interpCreate safeTk
safe::loadTk safeTk -use [winfo id .embed]

When Tk is loaded into a safe interpreter it calls back into the master interpreter and evaluates the safe::TkInit procedure. The job of this procedure is to return the appropriate argv value for the slave. The safe::loadTk procedure stores its additional arguments in the safe::tkInit variable, and this value is retrieved by the safe::TkInit procedure and returned to the slave. This protocol is used so a safe interpreter cannot attempt to hijack the windows of its master by constructing its own argv variable!

Safe-Tk Restrictions

When Tk is loaded into a safe interpreter it hides several Tk commands. Primarily these are hidden to prevent denial of service attacks against the main process. For example, if a child interpreter did a global grab and never released it, all input would be forever directed to the child. Table 20-1 lists the Tk commands hidden by default from a safe interpreter. The Tcl commands that are hidden in safe interpreters are listed on page 279.

Table 20-1. Tk commands omitted from safe interpreters.
bellRing the terminal bell.
clipboardAccess the CLIPBOARD selection.
grabDirect input to a specified widget.
menuCreate and manipulate menus, because menus need grab.
selectionManipulate the selection.
sendExecute a command in another Tk application.
tkSet the application name.
tk_chooseolorColor choice dialog.
tk_getOpenFileFile open dialog.
tk_getSaveFileFile save dialog.
tk_messageBoxSimple dialog boxes.
toplevelCreates a detached window.
wmControl the window manager.

If you find these restrictions limiting, you can restore commands to safe interpreters with the interp expose command. For example, to get menus and toplevels working, you could do:

interp create -safe safeTk
foreach cmd {grab menu menubutton toplevel wm} {
    interp expose safeTk $cmd

Instead of exposing the command directly, you can also construct aliases that provide a subset of the features. For example, you could disable the -global option to grab. Aliases are described in detail in Chapter 19.

The Browser plugin defines a more elaborate configuration system to control what commands are available to slave interpreters. You can have lots of control, but you need to distribute the security policies that define what Tclets can do in the plugin. Configuring security policies for the plugin is described later.

      Previous section   Next section