[5129] | 1 | # safe.tcl -- |
---|
| 2 | # |
---|
| 3 | # This file provide a safe loading/sourcing mechanism for safe interpreters. |
---|
| 4 | # It implements a virtual path mecanism to hide the real pathnames from the |
---|
| 5 | # slave. It runs in a master interpreter and sets up data structure and |
---|
| 6 | # aliases that will be invoked when used from a slave interpreter. |
---|
| 7 | # |
---|
| 8 | # See the safe.n man page for details. |
---|
| 9 | # |
---|
| 10 | # Copyright (c) 1996-1997 Sun Microsystems, Inc. |
---|
| 11 | # |
---|
| 12 | # See the file "license.terms" for information on usage and redistribution |
---|
| 13 | # of this file, and for a DISCLAIMER OF ALL WARRANTIES. |
---|
| 14 | # |
---|
| 15 | # RCS: @(#) $Id: safe.tcl,v 1.9.2.3 2005/07/22 21:59:41 dgp Exp $ |
---|
| 16 | |
---|
| 17 | # |
---|
| 18 | # The implementation is based on namespaces. These naming conventions |
---|
| 19 | # are followed: |
---|
| 20 | # Private procs starts with uppercase. |
---|
| 21 | # Public procs are exported and starts with lowercase |
---|
| 22 | # |
---|
| 23 | |
---|
| 24 | # Needed utilities package |
---|
| 25 | package require opt 0.4.1; |
---|
| 26 | |
---|
| 27 | # Create the safe namespace |
---|
| 28 | namespace eval ::safe { |
---|
| 29 | |
---|
| 30 | # Exported API: |
---|
| 31 | namespace export interpCreate interpInit interpConfigure interpDelete \ |
---|
| 32 | interpAddToAccessPath interpFindInAccessPath setLogCmd |
---|
| 33 | |
---|
| 34 | #### |
---|
| 35 | # |
---|
| 36 | # Setup the arguments parsing |
---|
| 37 | # |
---|
| 38 | #### |
---|
| 39 | |
---|
| 40 | # Make sure that our temporary variable is local to this |
---|
| 41 | # namespace. [Bug 981733] |
---|
| 42 | variable temp |
---|
| 43 | |
---|
| 44 | # Share the descriptions |
---|
| 45 | set temp [::tcl::OptKeyRegister { |
---|
| 46 | {-accessPath -list {} "access path for the slave"} |
---|
| 47 | {-noStatics "prevent loading of statically linked pkgs"} |
---|
| 48 | {-statics true "loading of statically linked pkgs"} |
---|
| 49 | {-nestedLoadOk "allow nested loading"} |
---|
| 50 | {-nested false "nested loading"} |
---|
| 51 | {-deleteHook -script {} "delete hook"} |
---|
| 52 | }] |
---|
| 53 | |
---|
| 54 | # create case (slave is optional) |
---|
| 55 | ::tcl::OptKeyRegister { |
---|
| 56 | {?slave? -name {} "name of the slave (optional)"} |
---|
| 57 | } ::safe::interpCreate |
---|
| 58 | # adding the flags sub programs to the command program |
---|
| 59 | # (relying on Opt's internal implementation details) |
---|
| 60 | lappend ::tcl::OptDesc(::safe::interpCreate) $::tcl::OptDesc($temp) |
---|
| 61 | |
---|
| 62 | # init and configure (slave is needed) |
---|
| 63 | ::tcl::OptKeyRegister { |
---|
| 64 | {slave -name {} "name of the slave"} |
---|
| 65 | } ::safe::interpIC |
---|
| 66 | # adding the flags sub programs to the command program |
---|
| 67 | # (relying on Opt's internal implementation details) |
---|
| 68 | lappend ::tcl::OptDesc(::safe::interpIC) $::tcl::OptDesc($temp) |
---|
| 69 | # temp not needed anymore |
---|
| 70 | ::tcl::OptKeyDelete $temp |
---|
| 71 | |
---|
| 72 | |
---|
| 73 | # Helper function to resolve the dual way of specifying staticsok |
---|
| 74 | # (either by -noStatics or -statics 0) |
---|
| 75 | proc InterpStatics {} { |
---|
| 76 | foreach v {Args statics noStatics} { |
---|
| 77 | upvar $v $v |
---|
| 78 | } |
---|
| 79 | set flag [::tcl::OptProcArgGiven -noStatics]; |
---|
| 80 | if {$flag && (!$noStatics == !$statics) |
---|
| 81 | && ([::tcl::OptProcArgGiven -statics])} { |
---|
| 82 | return -code error\ |
---|
| 83 | "conflicting values given for -statics and -noStatics" |
---|
| 84 | } |
---|
| 85 | if {$flag} { |
---|
| 86 | return [expr {!$noStatics}] |
---|
| 87 | } else { |
---|
| 88 | return $statics |
---|
| 89 | } |
---|
| 90 | } |
---|
| 91 | |
---|
| 92 | # Helper function to resolve the dual way of specifying nested loading |
---|
| 93 | # (either by -nestedLoadOk or -nested 1) |
---|
| 94 | proc InterpNested {} { |
---|
| 95 | foreach v {Args nested nestedLoadOk} { |
---|
| 96 | upvar $v $v |
---|
| 97 | } |
---|
| 98 | set flag [::tcl::OptProcArgGiven -nestedLoadOk]; |
---|
| 99 | # note that the test here is the opposite of the "InterpStatics" |
---|
| 100 | # one (it is not -noNested... because of the wanted default value) |
---|
| 101 | if {$flag && (!$nestedLoadOk != !$nested) |
---|
| 102 | && ([::tcl::OptProcArgGiven -nested])} { |
---|
| 103 | return -code error\ |
---|
| 104 | "conflicting values given for -nested and -nestedLoadOk" |
---|
| 105 | } |
---|
| 106 | if {$flag} { |
---|
| 107 | # another difference with "InterpStatics" |
---|
| 108 | return $nestedLoadOk |
---|
| 109 | } else { |
---|
| 110 | return $nested |
---|
| 111 | } |
---|
| 112 | } |
---|
| 113 | |
---|
| 114 | #### |
---|
| 115 | # |
---|
| 116 | # API entry points that needs argument parsing : |
---|
| 117 | # |
---|
| 118 | #### |
---|
| 119 | |
---|
| 120 | |
---|
| 121 | # Interface/entry point function and front end for "Create" |
---|
| 122 | proc interpCreate {args} { |
---|
| 123 | set Args [::tcl::OptKeyParse ::safe::interpCreate $args] |
---|
| 124 | InterpCreate $slave $accessPath \ |
---|
| 125 | [InterpStatics] [InterpNested] $deleteHook |
---|
| 126 | } |
---|
| 127 | |
---|
| 128 | proc interpInit {args} { |
---|
| 129 | set Args [::tcl::OptKeyParse ::safe::interpIC $args] |
---|
| 130 | if {![::interp exists $slave]} { |
---|
| 131 | return -code error "\"$slave\" is not an interpreter" |
---|
| 132 | } |
---|
| 133 | InterpInit $slave $accessPath \ |
---|
| 134 | [InterpStatics] [InterpNested] $deleteHook; |
---|
| 135 | } |
---|
| 136 | |
---|
| 137 | proc CheckInterp {slave} { |
---|
| 138 | if {![IsInterp $slave]} { |
---|
| 139 | return -code error \ |
---|
| 140 | "\"$slave\" is not an interpreter managed by ::safe::" |
---|
| 141 | } |
---|
| 142 | } |
---|
| 143 | |
---|
| 144 | # Interface/entry point function and front end for "Configure" |
---|
| 145 | # This code is awfully pedestrian because it would need |
---|
| 146 | # more coupling and support between the way we store the |
---|
| 147 | # configuration values in safe::interp's and the Opt package |
---|
| 148 | # Obviously we would like an OptConfigure |
---|
| 149 | # to avoid duplicating all this code everywhere. -> TODO |
---|
| 150 | # (the app should share or access easily the program/value |
---|
| 151 | # stored by opt) |
---|
| 152 | # This is even more complicated by the boolean flags with no values |
---|
| 153 | # that we had the bad idea to support for the sake of user simplicity |
---|
| 154 | # in create/init but which makes life hard in configure... |
---|
| 155 | # So this will be hopefully written and some integrated with opt1.0 |
---|
| 156 | # (hopefully for tcl8.1 ?) |
---|
| 157 | proc interpConfigure {args} { |
---|
| 158 | switch [llength $args] { |
---|
| 159 | 1 { |
---|
| 160 | # If we have exactly 1 argument |
---|
| 161 | # the semantic is to return all the current configuration |
---|
| 162 | # We still call OptKeyParse though we know that "slave" |
---|
| 163 | # is our given argument because it also checks |
---|
| 164 | # for the "-help" option. |
---|
| 165 | set Args [::tcl::OptKeyParse ::safe::interpIC $args] |
---|
| 166 | CheckInterp $slave |
---|
| 167 | set res {} |
---|
| 168 | lappend res [list -accessPath [Set [PathListName $slave]]] |
---|
| 169 | lappend res [list -statics [Set [StaticsOkName $slave]]] |
---|
| 170 | lappend res [list -nested [Set [NestedOkName $slave]]] |
---|
| 171 | lappend res [list -deleteHook [Set [DeleteHookName $slave]]] |
---|
| 172 | join $res |
---|
| 173 | } |
---|
| 174 | 2 { |
---|
| 175 | # If we have exactly 2 arguments |
---|
| 176 | # the semantic is a "configure get" |
---|
| 177 | ::tcl::Lassign $args slave arg |
---|
| 178 | # get the flag sub program (we 'know' about Opt's internal |
---|
| 179 | # representation of data) |
---|
| 180 | set desc [lindex [::tcl::OptKeyGetDesc ::safe::interpIC] 2] |
---|
| 181 | set hits [::tcl::OptHits desc $arg] |
---|
| 182 | if {$hits > 1} { |
---|
| 183 | return -code error [::tcl::OptAmbigous $desc $arg] |
---|
| 184 | } elseif {$hits == 0} { |
---|
| 185 | return -code error [::tcl::OptFlagUsage $desc $arg] |
---|
| 186 | } |
---|
| 187 | CheckInterp $slave |
---|
| 188 | set item [::tcl::OptCurDesc $desc] |
---|
| 189 | set name [::tcl::OptName $item] |
---|
| 190 | switch -exact -- $name { |
---|
| 191 | -accessPath { |
---|
| 192 | return [list -accessPath [Set [PathListName $slave]]] |
---|
| 193 | } |
---|
| 194 | -statics { |
---|
| 195 | return [list -statics [Set [StaticsOkName $slave]]] |
---|
| 196 | } |
---|
| 197 | -nested { |
---|
| 198 | return [list -nested [Set [NestedOkName $slave]]] |
---|
| 199 | } |
---|
| 200 | -deleteHook { |
---|
| 201 | return [list -deleteHook [Set [DeleteHookName $slave]]] |
---|
| 202 | } |
---|
| 203 | -noStatics { |
---|
| 204 | # it is most probably a set in fact |
---|
| 205 | # but we would need then to jump to the set part |
---|
| 206 | # and it is not *sure* that it is a set action |
---|
| 207 | # that the user want, so force it to use the |
---|
| 208 | # unambigous -statics ?value? instead: |
---|
| 209 | return -code error\ |
---|
| 210 | "ambigous query (get or set -noStatics ?)\ |
---|
| 211 | use -statics instead" |
---|
| 212 | } |
---|
| 213 | -nestedLoadOk { |
---|
| 214 | return -code error\ |
---|
| 215 | "ambigous query (get or set -nestedLoadOk ?)\ |
---|
| 216 | use -nested instead" |
---|
| 217 | } |
---|
| 218 | default { |
---|
| 219 | return -code error "unknown flag $name (bug)" |
---|
| 220 | } |
---|
| 221 | } |
---|
| 222 | } |
---|
| 223 | default { |
---|
| 224 | # Otherwise we want to parse the arguments like init and create |
---|
| 225 | # did |
---|
| 226 | set Args [::tcl::OptKeyParse ::safe::interpIC $args] |
---|
| 227 | CheckInterp $slave |
---|
| 228 | # Get the current (and not the default) values of |
---|
| 229 | # whatever has not been given: |
---|
| 230 | if {![::tcl::OptProcArgGiven -accessPath]} { |
---|
| 231 | set doreset 1 |
---|
| 232 | set accessPath [Set [PathListName $slave]] |
---|
| 233 | } else { |
---|
| 234 | set doreset 0 |
---|
| 235 | } |
---|
| 236 | if {(![::tcl::OptProcArgGiven -statics]) \ |
---|
| 237 | && (![::tcl::OptProcArgGiven -noStatics]) } { |
---|
| 238 | set statics [Set [StaticsOkName $slave]] |
---|
| 239 | } else { |
---|
| 240 | set statics [InterpStatics] |
---|
| 241 | } |
---|
| 242 | if {([::tcl::OptProcArgGiven -nested]) \ |
---|
| 243 | || ([::tcl::OptProcArgGiven -nestedLoadOk]) } { |
---|
| 244 | set nested [InterpNested] |
---|
| 245 | } else { |
---|
| 246 | set nested [Set [NestedOkName $slave]] |
---|
| 247 | } |
---|
| 248 | if {![::tcl::OptProcArgGiven -deleteHook]} { |
---|
| 249 | set deleteHook [Set [DeleteHookName $slave]] |
---|
| 250 | } |
---|
| 251 | # we can now reconfigure : |
---|
| 252 | InterpSetConfig $slave $accessPath $statics $nested $deleteHook |
---|
| 253 | # auto_reset the slave (to completly synch the new access_path) |
---|
| 254 | if {$doreset} { |
---|
| 255 | if {[catch {::interp eval $slave {auto_reset}} msg]} { |
---|
| 256 | Log $slave "auto_reset failed: $msg" |
---|
| 257 | } else { |
---|
| 258 | Log $slave "successful auto_reset" NOTICE |
---|
| 259 | } |
---|
| 260 | } |
---|
| 261 | } |
---|
| 262 | } |
---|
| 263 | } |
---|
| 264 | |
---|
| 265 | |
---|
| 266 | #### |
---|
| 267 | # |
---|
| 268 | # Functions that actually implements the exported APIs |
---|
| 269 | # |
---|
| 270 | #### |
---|
| 271 | |
---|
| 272 | |
---|
| 273 | # |
---|
| 274 | # safe::InterpCreate : doing the real job |
---|
| 275 | # |
---|
| 276 | # This procedure creates a safe slave and initializes it with the |
---|
| 277 | # safe base aliases. |
---|
| 278 | # NB: slave name must be simple alphanumeric string, no spaces, |
---|
| 279 | # no (), no {},... {because the state array is stored as part of the name} |
---|
| 280 | # |
---|
| 281 | # Returns the slave name. |
---|
| 282 | # |
---|
| 283 | # Optional Arguments : |
---|
| 284 | # + slave name : if empty, generated name will be used |
---|
| 285 | # + access_path: path list controlling where load/source can occur, |
---|
| 286 | # if empty: the master auto_path will be used. |
---|
| 287 | # + staticsok : flag, if 0 :no static package can be loaded (load {} Xxx) |
---|
| 288 | # if 1 :static packages are ok. |
---|
| 289 | # + nestedok: flag, if 0 :no loading to sub-sub interps (load xx xx sub) |
---|
| 290 | # if 1 : multiple levels are ok. |
---|
| 291 | |
---|
| 292 | # use the full name and no indent so auto_mkIndex can find us |
---|
| 293 | proc ::safe::InterpCreate { |
---|
| 294 | slave |
---|
| 295 | access_path |
---|
| 296 | staticsok |
---|
| 297 | nestedok |
---|
| 298 | deletehook |
---|
| 299 | } { |
---|
| 300 | # Create the slave. |
---|
| 301 | if {$slave ne ""} { |
---|
| 302 | ::interp create -safe $slave |
---|
| 303 | } else { |
---|
| 304 | # empty argument: generate slave name |
---|
| 305 | set slave [::interp create -safe] |
---|
| 306 | } |
---|
| 307 | Log $slave "Created" NOTICE |
---|
| 308 | |
---|
| 309 | # Initialize it. (returns slave name) |
---|
| 310 | InterpInit $slave $access_path $staticsok $nestedok $deletehook |
---|
| 311 | } |
---|
| 312 | |
---|
| 313 | |
---|
| 314 | # |
---|
| 315 | # InterpSetConfig (was setAccessPath) : |
---|
| 316 | # Sets up slave virtual auto_path and corresponding structure |
---|
| 317 | # within the master. Also sets the tcl_library in the slave |
---|
| 318 | # to be the first directory in the path. |
---|
| 319 | # Nb: If you change the path after the slave has been initialized |
---|
| 320 | # you probably need to call "auto_reset" in the slave in order that it |
---|
| 321 | # gets the right auto_index() array values. |
---|
| 322 | |
---|
| 323 | proc ::safe::InterpSetConfig {slave access_path staticsok\ |
---|
| 324 | nestedok deletehook} { |
---|
| 325 | |
---|
| 326 | # determine and store the access path if empty |
---|
| 327 | if {$access_path eq ""} { |
---|
| 328 | set access_path [uplevel \#0 set auto_path] |
---|
| 329 | # Make sure that tcl_library is in auto_path |
---|
| 330 | # and at the first position (needed by setAccessPath) |
---|
| 331 | set where [lsearch -exact $access_path [info library]] |
---|
| 332 | if {$where == -1} { |
---|
| 333 | # not found, add it. |
---|
| 334 | set access_path [concat [list [info library]] $access_path] |
---|
| 335 | Log $slave "tcl_library was not in auto_path,\ |
---|
| 336 | added it to slave's access_path" NOTICE |
---|
| 337 | } elseif {$where != 0} { |
---|
| 338 | # not first, move it first |
---|
| 339 | set access_path [concat [list [info library]]\ |
---|
| 340 | [lreplace $access_path $where $where]] |
---|
| 341 | Log $slave "tcl_libray was not in first in auto_path,\ |
---|
| 342 | moved it to front of slave's access_path" NOTICE |
---|
| 343 | |
---|
| 344 | } |
---|
| 345 | |
---|
| 346 | # Add 1st level sub dirs (will searched by auto loading from tcl |
---|
| 347 | # code in the slave using glob and thus fail, so we add them |
---|
| 348 | # here so by default it works the same). |
---|
| 349 | set access_path [AddSubDirs $access_path] |
---|
| 350 | } |
---|
| 351 | |
---|
| 352 | Log $slave "Setting accessPath=($access_path) staticsok=$staticsok\ |
---|
| 353 | nestedok=$nestedok deletehook=($deletehook)" NOTICE |
---|
| 354 | |
---|
| 355 | # clear old autopath if it existed |
---|
| 356 | set nname [PathNumberName $slave] |
---|
| 357 | if {[Exists $nname]} { |
---|
| 358 | set n [Set $nname] |
---|
| 359 | for {set i 0} {$i<$n} {incr i} { |
---|
| 360 | Unset [PathToken $i $slave] |
---|
| 361 | } |
---|
| 362 | } |
---|
| 363 | |
---|
| 364 | # build new one |
---|
| 365 | set slave_auto_path {} |
---|
| 366 | set i 0 |
---|
| 367 | foreach dir $access_path { |
---|
| 368 | Set [PathToken $i $slave] $dir |
---|
| 369 | lappend slave_auto_path "\$[PathToken $i]" |
---|
| 370 | incr i |
---|
| 371 | } |
---|
| 372 | Set $nname $i |
---|
| 373 | Set [PathListName $slave] $access_path |
---|
| 374 | Set [VirtualPathListName $slave] $slave_auto_path |
---|
| 375 | |
---|
| 376 | Set [StaticsOkName $slave] $staticsok |
---|
| 377 | Set [NestedOkName $slave] $nestedok |
---|
| 378 | Set [DeleteHookName $slave] $deletehook |
---|
| 379 | |
---|
| 380 | SyncAccessPath $slave |
---|
| 381 | } |
---|
| 382 | |
---|
| 383 | # |
---|
| 384 | # |
---|
| 385 | # FindInAccessPath: |
---|
| 386 | # Search for a real directory and returns its virtual Id |
---|
| 387 | # (including the "$") |
---|
| 388 | proc ::safe::interpFindInAccessPath {slave path} { |
---|
| 389 | set access_path [GetAccessPath $slave] |
---|
| 390 | set where [lsearch -exact $access_path $path] |
---|
| 391 | if {$where == -1} { |
---|
| 392 | return -code error "$path not found in access path $access_path" |
---|
| 393 | } |
---|
| 394 | return "\$[PathToken $where]" |
---|
| 395 | } |
---|
| 396 | |
---|
| 397 | # |
---|
| 398 | # addToAccessPath: |
---|
| 399 | # add (if needed) a real directory to access path |
---|
| 400 | # and return its virtual token (including the "$"). |
---|
| 401 | proc ::safe::interpAddToAccessPath {slave path} { |
---|
| 402 | # first check if the directory is already in there |
---|
| 403 | if {![catch {interpFindInAccessPath $slave $path} res]} { |
---|
| 404 | return $res |
---|
| 405 | } |
---|
| 406 | # new one, add it: |
---|
| 407 | set nname [PathNumberName $slave] |
---|
| 408 | set n [Set $nname] |
---|
| 409 | Set [PathToken $n $slave] $path |
---|
| 410 | |
---|
| 411 | set token "\$[PathToken $n]" |
---|
| 412 | |
---|
| 413 | Lappend [VirtualPathListName $slave] $token |
---|
| 414 | Lappend [PathListName $slave] $path |
---|
| 415 | Set $nname [expr {$n+1}] |
---|
| 416 | |
---|
| 417 | SyncAccessPath $slave |
---|
| 418 | |
---|
| 419 | return $token |
---|
| 420 | } |
---|
| 421 | |
---|
| 422 | # This procedure applies the initializations to an already existing |
---|
| 423 | # interpreter. It is useful when you want to install the safe base |
---|
| 424 | # aliases into a preexisting safe interpreter. |
---|
| 425 | proc ::safe::InterpInit { |
---|
| 426 | slave |
---|
| 427 | access_path |
---|
| 428 | staticsok |
---|
| 429 | nestedok |
---|
| 430 | deletehook |
---|
| 431 | } { |
---|
| 432 | |
---|
| 433 | # Configure will generate an access_path when access_path is |
---|
| 434 | # empty. |
---|
| 435 | InterpSetConfig $slave $access_path $staticsok $nestedok $deletehook |
---|
| 436 | |
---|
| 437 | # These aliases let the slave load files to define new commands |
---|
| 438 | |
---|
| 439 | # NB we need to add [namespace current], aliases are always |
---|
| 440 | # absolute paths. |
---|
| 441 | ::interp alias $slave source {} [namespace current]::AliasSource $slave |
---|
| 442 | ::interp alias $slave load {} [namespace current]::AliasLoad $slave |
---|
| 443 | |
---|
| 444 | # This alias lets the slave use the encoding names, convertfrom, |
---|
| 445 | # convertto, and system, but not "encoding system <name>" to set |
---|
| 446 | # the system encoding. |
---|
| 447 | |
---|
| 448 | ::interp alias $slave encoding {} [namespace current]::AliasEncoding \ |
---|
| 449 | $slave |
---|
| 450 | |
---|
| 451 | # This alias lets the slave have access to a subset of the 'file' |
---|
| 452 | # command functionality. |
---|
| 453 | |
---|
| 454 | AliasSubset $slave file file dir.* join root.* ext.* tail \ |
---|
| 455 | path.* split |
---|
| 456 | |
---|
| 457 | # This alias interposes on the 'exit' command and cleanly terminates |
---|
| 458 | # the slave. |
---|
| 459 | |
---|
| 460 | ::interp alias $slave exit {} [namespace current]::interpDelete $slave |
---|
| 461 | |
---|
| 462 | # The allowed slave variables already have been set |
---|
| 463 | # by Tcl_MakeSafe(3) |
---|
| 464 | |
---|
| 465 | |
---|
| 466 | # Source init.tcl into the slave, to get auto_load and other |
---|
| 467 | # procedures defined: |
---|
| 468 | |
---|
| 469 | # We don't try to use the -rsrc on the mac because it would get |
---|
| 470 | # confusing if you would want to customize init.tcl |
---|
| 471 | # for a given set of safe slaves, on all the platforms |
---|
| 472 | # you just need to give a specific access_path and |
---|
| 473 | # the mac should be no exception. As there is no |
---|
| 474 | # obvious full "safe ressources" design nor implementation |
---|
| 475 | # for the mac, safe interps there will just don't |
---|
| 476 | # have that ability. (A specific app can still reenable |
---|
| 477 | # that using custom aliases if they want to). |
---|
| 478 | # It would also make the security analysis and the Safe Tcl security |
---|
| 479 | # model platform dependant and thus more error prone. |
---|
| 480 | |
---|
| 481 | if {[catch {::interp eval $slave\ |
---|
| 482 | {source [file join $tcl_library init.tcl]}} msg]} { |
---|
| 483 | Log $slave "can't source init.tcl ($msg)" |
---|
| 484 | error "can't source init.tcl into slave $slave ($msg)" |
---|
| 485 | } |
---|
| 486 | |
---|
| 487 | return $slave |
---|
| 488 | } |
---|
| 489 | |
---|
| 490 | |
---|
| 491 | # Add (only if needed, avoid duplicates) 1 level of |
---|
| 492 | # sub directories to an existing path list. |
---|
| 493 | # Also removes non directories from the returned list. |
---|
| 494 | proc AddSubDirs {pathList} { |
---|
| 495 | set res {} |
---|
| 496 | foreach dir $pathList { |
---|
| 497 | if {[file isdirectory $dir]} { |
---|
| 498 | # check that we don't have it yet as a children |
---|
| 499 | # of a previous dir |
---|
| 500 | if {[lsearch -exact $res $dir]<0} { |
---|
| 501 | lappend res $dir |
---|
| 502 | } |
---|
| 503 | foreach sub [glob -directory $dir -nocomplain *] { |
---|
| 504 | if {([file isdirectory $sub]) \ |
---|
| 505 | && ([lsearch -exact $res $sub]<0) } { |
---|
| 506 | # new sub dir, add it ! |
---|
| 507 | lappend res $sub |
---|
| 508 | } |
---|
| 509 | } |
---|
| 510 | } |
---|
| 511 | } |
---|
| 512 | return $res |
---|
| 513 | } |
---|
| 514 | |
---|
| 515 | # This procedure deletes a safe slave managed by Safe Tcl and |
---|
| 516 | # cleans up associated state: |
---|
| 517 | |
---|
| 518 | proc ::safe::interpDelete {slave} { |
---|
| 519 | |
---|
| 520 | Log $slave "About to delete" NOTICE |
---|
| 521 | |
---|
| 522 | # If the slave has a cleanup hook registered, call it. |
---|
| 523 | # check the existance because we might be called to delete an interp |
---|
| 524 | # which has not been registered with us at all |
---|
| 525 | set hookname [DeleteHookName $slave] |
---|
| 526 | if {[Exists $hookname]} { |
---|
| 527 | set hook [Set $hookname] |
---|
| 528 | if {![::tcl::Lempty $hook]} { |
---|
| 529 | # remove the hook now, otherwise if the hook |
---|
| 530 | # calls us somehow, we'll loop |
---|
| 531 | Unset $hookname |
---|
| 532 | if {[catch {eval $hook [list $slave]} err]} { |
---|
| 533 | Log $slave "Delete hook error ($err)" |
---|
| 534 | } |
---|
| 535 | } |
---|
| 536 | } |
---|
| 537 | |
---|
| 538 | # Discard the global array of state associated with the slave, and |
---|
| 539 | # delete the interpreter. |
---|
| 540 | |
---|
| 541 | set statename [InterpStateName $slave] |
---|
| 542 | if {[Exists $statename]} { |
---|
| 543 | Unset $statename |
---|
| 544 | } |
---|
| 545 | |
---|
| 546 | # if we have been called twice, the interp might have been deleted |
---|
| 547 | # already |
---|
| 548 | if {[::interp exists $slave]} { |
---|
| 549 | ::interp delete $slave |
---|
| 550 | Log $slave "Deleted" NOTICE |
---|
| 551 | } |
---|
| 552 | |
---|
| 553 | return |
---|
| 554 | } |
---|
| 555 | |
---|
| 556 | # Set (or get) the loging mecanism |
---|
| 557 | |
---|
| 558 | proc ::safe::setLogCmd {args} { |
---|
| 559 | variable Log |
---|
| 560 | if {[llength $args] == 0} { |
---|
| 561 | return $Log |
---|
| 562 | } else { |
---|
| 563 | if {[llength $args] == 1} { |
---|
| 564 | set Log [lindex $args 0] |
---|
| 565 | } else { |
---|
| 566 | set Log $args |
---|
| 567 | } |
---|
| 568 | } |
---|
| 569 | } |
---|
| 570 | |
---|
| 571 | # internal variable |
---|
| 572 | variable Log {} |
---|
| 573 | |
---|
| 574 | # ------------------- END OF PUBLIC METHODS ------------ |
---|
| 575 | |
---|
| 576 | |
---|
| 577 | # |
---|
| 578 | # sets the slave auto_path to the master recorded value. |
---|
| 579 | # also sets tcl_library to the first token of the virtual path. |
---|
| 580 | # |
---|
| 581 | proc SyncAccessPath {slave} { |
---|
| 582 | set slave_auto_path [Set [VirtualPathListName $slave]] |
---|
| 583 | ::interp eval $slave [list set auto_path $slave_auto_path] |
---|
| 584 | Log $slave "auto_path in $slave has been set to $slave_auto_path"\ |
---|
| 585 | NOTICE |
---|
| 586 | ::interp eval $slave [list set tcl_library [lindex $slave_auto_path 0]] |
---|
| 587 | } |
---|
| 588 | |
---|
| 589 | # base name for storing all the slave states |
---|
| 590 | # the array variable name for slave foo is thus "Sfoo" |
---|
| 591 | # and for sub slave {foo bar} "Sfoo bar" (spaces are handled |
---|
| 592 | # ok everywhere (or should)) |
---|
| 593 | # We add the S prefix to avoid that a slave interp called "Log" |
---|
| 594 | # would smash our "Log" variable. |
---|
| 595 | proc InterpStateName {slave} { |
---|
| 596 | return "S$slave" |
---|
| 597 | } |
---|
| 598 | |
---|
| 599 | # Check that the given slave is "one of us" |
---|
| 600 | proc IsInterp {slave} { |
---|
| 601 | expr {[Exists [InterpStateName $slave]] && [::interp exists $slave]} |
---|
| 602 | } |
---|
| 603 | |
---|
| 604 | # returns the virtual token for directory number N |
---|
| 605 | # if the slave argument is given, |
---|
| 606 | # it will return the corresponding master global variable name |
---|
| 607 | proc PathToken {n {slave ""}} { |
---|
| 608 | if {$slave ne ""} { |
---|
| 609 | return "[InterpStateName $slave](access_path,$n)" |
---|
| 610 | } else { |
---|
| 611 | # We need to have a ":" in the token string so |
---|
| 612 | # [file join] on the mac won't turn it into a relative |
---|
| 613 | # path. |
---|
| 614 | return "p(:$n:)" |
---|
| 615 | } |
---|
| 616 | } |
---|
| 617 | # returns the variable name of the complete path list |
---|
| 618 | proc PathListName {slave} { |
---|
| 619 | return "[InterpStateName $slave](access_path)" |
---|
| 620 | } |
---|
| 621 | # returns the variable name of the complete path list |
---|
| 622 | proc VirtualPathListName {slave} { |
---|
| 623 | return "[InterpStateName $slave](access_path_slave)" |
---|
| 624 | } |
---|
| 625 | # returns the variable name of the number of items |
---|
| 626 | proc PathNumberName {slave} { |
---|
| 627 | return "[InterpStateName $slave](access_path,n)" |
---|
| 628 | } |
---|
| 629 | # returns the staticsok flag var name |
---|
| 630 | proc StaticsOkName {slave} { |
---|
| 631 | return "[InterpStateName $slave](staticsok)" |
---|
| 632 | } |
---|
| 633 | # returns the nestedok flag var name |
---|
| 634 | proc NestedOkName {slave} { |
---|
| 635 | return "[InterpStateName $slave](nestedok)" |
---|
| 636 | } |
---|
| 637 | # Run some code at the namespace toplevel |
---|
| 638 | proc Toplevel {args} { |
---|
| 639 | namespace eval [namespace current] $args |
---|
| 640 | } |
---|
| 641 | # set/get values |
---|
| 642 | proc Set {args} { |
---|
| 643 | eval [linsert $args 0 Toplevel set] |
---|
| 644 | } |
---|
| 645 | # lappend on toplevel vars |
---|
| 646 | proc Lappend {args} { |
---|
| 647 | eval [linsert $args 0 Toplevel lappend] |
---|
| 648 | } |
---|
| 649 | # unset a var/token (currently just an global level eval) |
---|
| 650 | proc Unset {args} { |
---|
| 651 | eval [linsert $args 0 Toplevel unset] |
---|
| 652 | } |
---|
| 653 | # test existance |
---|
| 654 | proc Exists {varname} { |
---|
| 655 | Toplevel info exists $varname |
---|
| 656 | } |
---|
| 657 | # short cut for access path getting |
---|
| 658 | proc GetAccessPath {slave} { |
---|
| 659 | Set [PathListName $slave] |
---|
| 660 | } |
---|
| 661 | # short cut for statics ok flag getting |
---|
| 662 | proc StaticsOk {slave} { |
---|
| 663 | Set [StaticsOkName $slave] |
---|
| 664 | } |
---|
| 665 | # short cut for getting the multiples interps sub loading ok flag |
---|
| 666 | proc NestedOk {slave} { |
---|
| 667 | Set [NestedOkName $slave] |
---|
| 668 | } |
---|
| 669 | # interp deletion storing hook name |
---|
| 670 | proc DeleteHookName {slave} { |
---|
| 671 | return [InterpStateName $slave](cleanupHook) |
---|
| 672 | } |
---|
| 673 | |
---|
| 674 | # |
---|
| 675 | # translate virtual path into real path |
---|
| 676 | # |
---|
| 677 | proc TranslatePath {slave path} { |
---|
| 678 | # somehow strip the namespaces 'functionality' out (the danger |
---|
| 679 | # is that we would strip valid macintosh "../" queries... : |
---|
| 680 | if {[regexp {(::)|(\.\.)} $path]} { |
---|
| 681 | error "invalid characters in path $path" |
---|
| 682 | } |
---|
| 683 | set n [expr {[Set [PathNumberName $slave]]-1}] |
---|
| 684 | for {} {$n>=0} {incr n -1} { |
---|
| 685 | # fill the token virtual names with their real value |
---|
| 686 | set [PathToken $n] [Set [PathToken $n $slave]] |
---|
| 687 | } |
---|
| 688 | # replaces the token by their value |
---|
| 689 | subst -nobackslashes -nocommands $path |
---|
| 690 | } |
---|
| 691 | |
---|
| 692 | |
---|
| 693 | # Log eventually log an error |
---|
| 694 | # to enable error logging, set Log to {puts stderr} for instance |
---|
| 695 | proc Log {slave msg {type ERROR}} { |
---|
| 696 | variable Log |
---|
| 697 | if {[info exists Log] && [llength $Log]} { |
---|
| 698 | eval $Log [list "$type for slave $slave : $msg"] |
---|
| 699 | } |
---|
| 700 | } |
---|
| 701 | |
---|
| 702 | |
---|
| 703 | # file name control (limit access to files/ressources that should be |
---|
| 704 | # a valid tcl source file) |
---|
| 705 | proc CheckFileName {slave file} { |
---|
| 706 | # This used to limit what can be sourced to ".tcl" and forbid files |
---|
| 707 | # with more than 1 dot and longer than 14 chars, but I changed that |
---|
| 708 | # for 8.4 as a safe interp has enough internal protection already |
---|
| 709 | # to allow sourcing anything. - hobbs |
---|
| 710 | |
---|
| 711 | if {![file exists $file]} { |
---|
| 712 | # don't tell the file path |
---|
| 713 | error "no such file or directory" |
---|
| 714 | } |
---|
| 715 | |
---|
| 716 | if {![file readable $file]} { |
---|
| 717 | # don't tell the file path |
---|
| 718 | error "not readable" |
---|
| 719 | } |
---|
| 720 | } |
---|
| 721 | |
---|
| 722 | |
---|
| 723 | # AliasSource is the target of the "source" alias in safe interpreters. |
---|
| 724 | |
---|
| 725 | proc AliasSource {slave args} { |
---|
| 726 | |
---|
| 727 | set argc [llength $args] |
---|
| 728 | # Allow only "source filename" |
---|
| 729 | # (and not mac specific -rsrc for instance - see comment in ::init |
---|
| 730 | # for current rationale) |
---|
| 731 | if {$argc != 1} { |
---|
| 732 | set msg "wrong # args: should be \"source fileName\"" |
---|
| 733 | Log $slave "$msg ($args)" |
---|
| 734 | return -code error $msg |
---|
| 735 | } |
---|
| 736 | set file [lindex $args 0] |
---|
| 737 | |
---|
| 738 | # get the real path from the virtual one. |
---|
| 739 | if {[catch {set file [TranslatePath $slave $file]} msg]} { |
---|
| 740 | Log $slave $msg |
---|
| 741 | return -code error "permission denied" |
---|
| 742 | } |
---|
| 743 | |
---|
| 744 | # check that the path is in the access path of that slave |
---|
| 745 | if {[catch {FileInAccessPath $slave $file} msg]} { |
---|
| 746 | Log $slave $msg |
---|
| 747 | return -code error "permission denied" |
---|
| 748 | } |
---|
| 749 | |
---|
| 750 | # do the checks on the filename : |
---|
| 751 | if {[catch {CheckFileName $slave $file} msg]} { |
---|
| 752 | Log $slave "$file:$msg" |
---|
| 753 | return -code error $msg |
---|
| 754 | } |
---|
| 755 | |
---|
| 756 | # passed all the tests , lets source it: |
---|
| 757 | if {[catch {::interp invokehidden $slave source $file} msg]} { |
---|
| 758 | Log $slave $msg |
---|
| 759 | return -code error "script error" |
---|
| 760 | } |
---|
| 761 | return $msg |
---|
| 762 | } |
---|
| 763 | |
---|
| 764 | # AliasLoad is the target of the "load" alias in safe interpreters. |
---|
| 765 | |
---|
| 766 | proc AliasLoad {slave file args} { |
---|
| 767 | |
---|
| 768 | set argc [llength $args] |
---|
| 769 | if {$argc > 2} { |
---|
| 770 | set msg "load error: too many arguments" |
---|
| 771 | Log $slave "$msg ($argc) {$file $args}" |
---|
| 772 | return -code error $msg |
---|
| 773 | } |
---|
| 774 | |
---|
| 775 | # package name (can be empty if file is not). |
---|
| 776 | set package [lindex $args 0] |
---|
| 777 | |
---|
| 778 | # Determine where to load. load use a relative interp path |
---|
| 779 | # and {} means self, so we can directly and safely use passed arg. |
---|
| 780 | set target [lindex $args 1] |
---|
| 781 | if {$target ne ""} { |
---|
| 782 | # we will try to load into a sub sub interp |
---|
| 783 | # check that we want to authorize that. |
---|
| 784 | if {![NestedOk $slave]} { |
---|
| 785 | Log $slave "loading to a sub interp (nestedok)\ |
---|
| 786 | disabled (trying to load $package to $target)" |
---|
| 787 | return -code error "permission denied (nested load)" |
---|
| 788 | } |
---|
| 789 | |
---|
| 790 | } |
---|
| 791 | |
---|
| 792 | # Determine what kind of load is requested |
---|
| 793 | if {$file eq ""} { |
---|
| 794 | # static package loading |
---|
| 795 | if {$package eq ""} { |
---|
| 796 | set msg "load error: empty filename and no package name" |
---|
| 797 | Log $slave $msg |
---|
| 798 | return -code error $msg |
---|
| 799 | } |
---|
| 800 | if {![StaticsOk $slave]} { |
---|
| 801 | Log $slave "static packages loading disabled\ |
---|
| 802 | (trying to load $package to $target)" |
---|
| 803 | return -code error "permission denied (static package)" |
---|
| 804 | } |
---|
| 805 | } else { |
---|
| 806 | # file loading |
---|
| 807 | |
---|
| 808 | # get the real path from the virtual one. |
---|
| 809 | if {[catch {set file [TranslatePath $slave $file]} msg]} { |
---|
| 810 | Log $slave $msg |
---|
| 811 | return -code error "permission denied" |
---|
| 812 | } |
---|
| 813 | |
---|
| 814 | # check the translated path |
---|
| 815 | if {[catch {FileInAccessPath $slave $file} msg]} { |
---|
| 816 | Log $slave $msg |
---|
| 817 | return -code error "permission denied (path)" |
---|
| 818 | } |
---|
| 819 | } |
---|
| 820 | |
---|
| 821 | if {[catch {::interp invokehidden\ |
---|
| 822 | $slave load $file $package $target} msg]} { |
---|
| 823 | Log $slave $msg |
---|
| 824 | return -code error $msg |
---|
| 825 | } |
---|
| 826 | |
---|
| 827 | return $msg |
---|
| 828 | } |
---|
| 829 | |
---|
| 830 | # FileInAccessPath raises an error if the file is not found in |
---|
| 831 | # the list of directories contained in the (master side recorded) slave's |
---|
| 832 | # access path. |
---|
| 833 | |
---|
| 834 | # the security here relies on "file dirname" answering the proper |
---|
| 835 | # result.... needs checking ? |
---|
| 836 | proc FileInAccessPath {slave file} { |
---|
| 837 | |
---|
| 838 | set access_path [GetAccessPath $slave] |
---|
| 839 | |
---|
| 840 | if {[file isdirectory $file]} { |
---|
| 841 | error "\"$file\": is a directory" |
---|
| 842 | } |
---|
| 843 | set parent [file dirname $file] |
---|
| 844 | |
---|
| 845 | # Normalize paths for comparison since lsearch knows nothing of |
---|
| 846 | # potential pathname anomalies. |
---|
| 847 | set norm_parent [file normalize $parent] |
---|
| 848 | foreach path $access_path { |
---|
| 849 | lappend norm_access_path [file normalize $path] |
---|
| 850 | } |
---|
| 851 | |
---|
| 852 | if {[lsearch -exact $norm_access_path $norm_parent] == -1} { |
---|
| 853 | error "\"$file\": not in access_path" |
---|
| 854 | } |
---|
| 855 | } |
---|
| 856 | |
---|
| 857 | # This procedure enables access from a safe interpreter to only a subset of |
---|
| 858 | # the subcommands of a command: |
---|
| 859 | |
---|
| 860 | proc Subset {slave command okpat args} { |
---|
| 861 | set subcommand [lindex $args 0] |
---|
| 862 | if {[regexp $okpat $subcommand]} { |
---|
| 863 | return [eval [linsert $args 0 $command]] |
---|
| 864 | } |
---|
| 865 | set msg "not allowed to invoke subcommand $subcommand of $command" |
---|
| 866 | Log $slave $msg |
---|
| 867 | error $msg |
---|
| 868 | } |
---|
| 869 | |
---|
| 870 | # This procedure installs an alias in a slave that invokes "safesubset" |
---|
| 871 | # in the master to execute allowed subcommands. It precomputes the pattern |
---|
| 872 | # of allowed subcommands; you can use wildcards in the pattern if you wish |
---|
| 873 | # to allow subcommand abbreviation. |
---|
| 874 | # |
---|
| 875 | # Syntax is: AliasSubset slave alias target subcommand1 subcommand2... |
---|
| 876 | |
---|
| 877 | proc AliasSubset {slave alias target args} { |
---|
| 878 | set pat ^(; set sep "" |
---|
| 879 | foreach sub $args { |
---|
| 880 | append pat $sep$sub |
---|
| 881 | set sep | |
---|
| 882 | } |
---|
| 883 | append pat )\$ |
---|
| 884 | ::interp alias $slave $alias {}\ |
---|
| 885 | [namespace current]::Subset $slave $target $pat |
---|
| 886 | } |
---|
| 887 | |
---|
| 888 | # AliasEncoding is the target of the "encoding" alias in safe interpreters. |
---|
| 889 | |
---|
| 890 | proc AliasEncoding {slave args} { |
---|
| 891 | |
---|
| 892 | set argc [llength $args] |
---|
| 893 | |
---|
| 894 | set okpat "^(name.*|convert.*)\$" |
---|
| 895 | set subcommand [lindex $args 0] |
---|
| 896 | |
---|
| 897 | if {[regexp $okpat $subcommand]} { |
---|
| 898 | return [eval [linsert $args 0 \ |
---|
| 899 | ::interp invokehidden $slave encoding]] |
---|
| 900 | } |
---|
| 901 | |
---|
| 902 | if {[string first $subcommand system] == 0} { |
---|
| 903 | if {$argc == 1} { |
---|
| 904 | # passed all the tests , lets source it: |
---|
| 905 | if {[catch {::interp invokehidden \ |
---|
| 906 | $slave encoding system} msg]} { |
---|
| 907 | Log $slave $msg |
---|
| 908 | return -code error "script error" |
---|
| 909 | } |
---|
| 910 | } else { |
---|
| 911 | set msg "wrong # args: should be \"encoding system\"" |
---|
| 912 | Log $slave $msg |
---|
| 913 | error $msg |
---|
| 914 | } |
---|
| 915 | } else { |
---|
| 916 | set msg "wrong # args: should be \"encoding option ?arg ...?\"" |
---|
| 917 | Log $slave $msg |
---|
| 918 | error $msg |
---|
| 919 | } |
---|
| 920 | |
---|
| 921 | return $msg |
---|
| 922 | } |
---|
| 923 | |
---|
| 924 | } |
---|