1 | # safe.tcl -- |
---|
2 | # |
---|
3 | # This file provide a safe loading/sourcing mechanism for safe interpreters. |
---|
4 | # It implements a virtual path mecanism to hide the real pathnames from the |
---|
5 | # slave. It runs in a master interpreter and sets up data structure and |
---|
6 | # aliases that will be invoked when used from a slave interpreter. |
---|
7 | # |
---|
8 | # See the safe.n man page for details. |
---|
9 | # |
---|
10 | # Copyright (c) 1996-1997 Sun Microsystems, Inc. |
---|
11 | # |
---|
12 | # See the file "license.terms" for information on usage and redistribution |
---|
13 | # of this file, and for a DISCLAIMER OF ALL WARRANTIES. |
---|
14 | # |
---|
15 | # RCS: @(#) $Id: safe.tcl,v 1.9.2.3 2005/07/22 21:59:41 dgp Exp $ |
---|
16 | |
---|
17 | # |
---|
18 | # The implementation is based on namespaces. These naming conventions |
---|
19 | # are followed: |
---|
20 | # Private procs starts with uppercase. |
---|
21 | # Public procs are exported and starts with lowercase |
---|
22 | # |
---|
23 | |
---|
24 | # Needed utilities package |
---|
25 | package require opt 0.4.1; |
---|
26 | |
---|
27 | # Create the safe namespace |
---|
28 | namespace eval ::safe { |
---|
29 | |
---|
30 | # Exported API: |
---|
31 | namespace export interpCreate interpInit interpConfigure interpDelete \ |
---|
32 | interpAddToAccessPath interpFindInAccessPath setLogCmd |
---|
33 | |
---|
34 | #### |
---|
35 | # |
---|
36 | # Setup the arguments parsing |
---|
37 | # |
---|
38 | #### |
---|
39 | |
---|
40 | # Make sure that our temporary variable is local to this |
---|
41 | # namespace. [Bug 981733] |
---|
42 | variable temp |
---|
43 | |
---|
44 | # Share the descriptions |
---|
45 | set temp [::tcl::OptKeyRegister { |
---|
46 | {-accessPath -list {} "access path for the slave"} |
---|
47 | {-noStatics "prevent loading of statically linked pkgs"} |
---|
48 | {-statics true "loading of statically linked pkgs"} |
---|
49 | {-nestedLoadOk "allow nested loading"} |
---|
50 | {-nested false "nested loading"} |
---|
51 | {-deleteHook -script {} "delete hook"} |
---|
52 | }] |
---|
53 | |
---|
54 | # create case (slave is optional) |
---|
55 | ::tcl::OptKeyRegister { |
---|
56 | {?slave? -name {} "name of the slave (optional)"} |
---|
57 | } ::safe::interpCreate |
---|
58 | # adding the flags sub programs to the command program |
---|
59 | # (relying on Opt's internal implementation details) |
---|
60 | lappend ::tcl::OptDesc(::safe::interpCreate) $::tcl::OptDesc($temp) |
---|
61 | |
---|
62 | # init and configure (slave is needed) |
---|
63 | ::tcl::OptKeyRegister { |
---|
64 | {slave -name {} "name of the slave"} |
---|
65 | } ::safe::interpIC |
---|
66 | # adding the flags sub programs to the command program |
---|
67 | # (relying on Opt's internal implementation details) |
---|
68 | lappend ::tcl::OptDesc(::safe::interpIC) $::tcl::OptDesc($temp) |
---|
69 | # temp not needed anymore |
---|
70 | ::tcl::OptKeyDelete $temp |
---|
71 | |
---|
72 | |
---|
73 | # Helper function to resolve the dual way of specifying staticsok |
---|
74 | # (either by -noStatics or -statics 0) |
---|
75 | proc InterpStatics {} { |
---|
76 | foreach v {Args statics noStatics} { |
---|
77 | upvar $v $v |
---|
78 | } |
---|
79 | set flag [::tcl::OptProcArgGiven -noStatics]; |
---|
80 | if {$flag && (!$noStatics == !$statics) |
---|
81 | && ([::tcl::OptProcArgGiven -statics])} { |
---|
82 | return -code error\ |
---|
83 | "conflicting values given for -statics and -noStatics" |
---|
84 | } |
---|
85 | if {$flag} { |
---|
86 | return [expr {!$noStatics}] |
---|
87 | } else { |
---|
88 | return $statics |
---|
89 | } |
---|
90 | } |
---|
91 | |
---|
92 | # Helper function to resolve the dual way of specifying nested loading |
---|
93 | # (either by -nestedLoadOk or -nested 1) |
---|
94 | proc InterpNested {} { |
---|
95 | foreach v {Args nested nestedLoadOk} { |
---|
96 | upvar $v $v |
---|
97 | } |
---|
98 | set flag [::tcl::OptProcArgGiven -nestedLoadOk]; |
---|
99 | # note that the test here is the opposite of the "InterpStatics" |
---|
100 | # one (it is not -noNested... because of the wanted default value) |
---|
101 | if {$flag && (!$nestedLoadOk != !$nested) |
---|
102 | && ([::tcl::OptProcArgGiven -nested])} { |
---|
103 | return -code error\ |
---|
104 | "conflicting values given for -nested and -nestedLoadOk" |
---|
105 | } |
---|
106 | if {$flag} { |
---|
107 | # another difference with "InterpStatics" |
---|
108 | return $nestedLoadOk |
---|
109 | } else { |
---|
110 | return $nested |
---|
111 | } |
---|
112 | } |
---|
113 | |
---|
114 | #### |
---|
115 | # |
---|
116 | # API entry points that needs argument parsing : |
---|
117 | # |
---|
118 | #### |
---|
119 | |
---|
120 | |
---|
121 | # Interface/entry point function and front end for "Create" |
---|
122 | proc interpCreate {args} { |
---|
123 | set Args [::tcl::OptKeyParse ::safe::interpCreate $args] |
---|
124 | InterpCreate $slave $accessPath \ |
---|
125 | [InterpStatics] [InterpNested] $deleteHook |
---|
126 | } |
---|
127 | |
---|
128 | proc interpInit {args} { |
---|
129 | set Args [::tcl::OptKeyParse ::safe::interpIC $args] |
---|
130 | if {![::interp exists $slave]} { |
---|
131 | return -code error "\"$slave\" is not an interpreter" |
---|
132 | } |
---|
133 | InterpInit $slave $accessPath \ |
---|
134 | [InterpStatics] [InterpNested] $deleteHook; |
---|
135 | } |
---|
136 | |
---|
137 | proc CheckInterp {slave} { |
---|
138 | if {![IsInterp $slave]} { |
---|
139 | return -code error \ |
---|
140 | "\"$slave\" is not an interpreter managed by ::safe::" |
---|
141 | } |
---|
142 | } |
---|
143 | |
---|
144 | # Interface/entry point function and front end for "Configure" |
---|
145 | # This code is awfully pedestrian because it would need |
---|
146 | # more coupling and support between the way we store the |
---|
147 | # configuration values in safe::interp's and the Opt package |
---|
148 | # Obviously we would like an OptConfigure |
---|
149 | # to avoid duplicating all this code everywhere. -> TODO |
---|
150 | # (the app should share or access easily the program/value |
---|
151 | # stored by opt) |
---|
152 | # This is even more complicated by the boolean flags with no values |
---|
153 | # that we had the bad idea to support for the sake of user simplicity |
---|
154 | # in create/init but which makes life hard in configure... |
---|
155 | # So this will be hopefully written and some integrated with opt1.0 |
---|
156 | # (hopefully for tcl8.1 ?) |
---|
157 | proc interpConfigure {args} { |
---|
158 | switch [llength $args] { |
---|
159 | 1 { |
---|
160 | # If we have exactly 1 argument |
---|
161 | # the semantic is to return all the current configuration |
---|
162 | # We still call OptKeyParse though we know that "slave" |
---|
163 | # is our given argument because it also checks |
---|
164 | # for the "-help" option. |
---|
165 | set Args [::tcl::OptKeyParse ::safe::interpIC $args] |
---|
166 | CheckInterp $slave |
---|
167 | set res {} |
---|
168 | lappend res [list -accessPath [Set [PathListName $slave]]] |
---|
169 | lappend res [list -statics [Set [StaticsOkName $slave]]] |
---|
170 | lappend res [list -nested [Set [NestedOkName $slave]]] |
---|
171 | lappend res [list -deleteHook [Set [DeleteHookName $slave]]] |
---|
172 | join $res |
---|
173 | } |
---|
174 | 2 { |
---|
175 | # If we have exactly 2 arguments |
---|
176 | # the semantic is a "configure get" |
---|
177 | ::tcl::Lassign $args slave arg |
---|
178 | # get the flag sub program (we 'know' about Opt's internal |
---|
179 | # representation of data) |
---|
180 | set desc [lindex [::tcl::OptKeyGetDesc ::safe::interpIC] 2] |
---|
181 | set hits [::tcl::OptHits desc $arg] |
---|
182 | if {$hits > 1} { |
---|
183 | return -code error [::tcl::OptAmbigous $desc $arg] |
---|
184 | } elseif {$hits == 0} { |
---|
185 | return -code error [::tcl::OptFlagUsage $desc $arg] |
---|
186 | } |
---|
187 | CheckInterp $slave |
---|
188 | set item [::tcl::OptCurDesc $desc] |
---|
189 | set name [::tcl::OptName $item] |
---|
190 | switch -exact -- $name { |
---|
191 | -accessPath { |
---|
192 | return [list -accessPath [Set [PathListName $slave]]] |
---|
193 | } |
---|
194 | -statics { |
---|
195 | return [list -statics [Set [StaticsOkName $slave]]] |
---|
196 | } |
---|
197 | -nested { |
---|
198 | return [list -nested [Set [NestedOkName $slave]]] |
---|
199 | } |
---|
200 | -deleteHook { |
---|
201 | return [list -deleteHook [Set [DeleteHookName $slave]]] |
---|
202 | } |
---|
203 | -noStatics { |
---|
204 | # it is most probably a set in fact |
---|
205 | # but we would need then to jump to the set part |
---|
206 | # and it is not *sure* that it is a set action |
---|
207 | # that the user want, so force it to use the |
---|
208 | # unambigous -statics ?value? instead: |
---|
209 | return -code error\ |
---|
210 | "ambigous query (get or set -noStatics ?)\ |
---|
211 | use -statics instead" |
---|
212 | } |
---|
213 | -nestedLoadOk { |
---|
214 | return -code error\ |
---|
215 | "ambigous query (get or set -nestedLoadOk ?)\ |
---|
216 | use -nested instead" |
---|
217 | } |
---|
218 | default { |
---|
219 | return -code error "unknown flag $name (bug)" |
---|
220 | } |
---|
221 | } |
---|
222 | } |
---|
223 | default { |
---|
224 | # Otherwise we want to parse the arguments like init and create |
---|
225 | # did |
---|
226 | set Args [::tcl::OptKeyParse ::safe::interpIC $args] |
---|
227 | CheckInterp $slave |
---|
228 | # Get the current (and not the default) values of |
---|
229 | # whatever has not been given: |
---|
230 | if {![::tcl::OptProcArgGiven -accessPath]} { |
---|
231 | set doreset 1 |
---|
232 | set accessPath [Set [PathListName $slave]] |
---|
233 | } else { |
---|
234 | set doreset 0 |
---|
235 | } |
---|
236 | if {(![::tcl::OptProcArgGiven -statics]) \ |
---|
237 | && (![::tcl::OptProcArgGiven -noStatics]) } { |
---|
238 | set statics [Set [StaticsOkName $slave]] |
---|
239 | } else { |
---|
240 | set statics [InterpStatics] |
---|
241 | } |
---|
242 | if {([::tcl::OptProcArgGiven -nested]) \ |
---|
243 | || ([::tcl::OptProcArgGiven -nestedLoadOk]) } { |
---|
244 | set nested [InterpNested] |
---|
245 | } else { |
---|
246 | set nested [Set [NestedOkName $slave]] |
---|
247 | } |
---|
248 | if {![::tcl::OptProcArgGiven -deleteHook]} { |
---|
249 | set deleteHook [Set [DeleteHookName $slave]] |
---|
250 | } |
---|
251 | # we can now reconfigure : |
---|
252 | InterpSetConfig $slave $accessPath $statics $nested $deleteHook |
---|
253 | # auto_reset the slave (to completly synch the new access_path) |
---|
254 | if {$doreset} { |
---|
255 | if {[catch {::interp eval $slave {auto_reset}} msg]} { |
---|
256 | Log $slave "auto_reset failed: $msg" |
---|
257 | } else { |
---|
258 | Log $slave "successful auto_reset" NOTICE |
---|
259 | } |
---|
260 | } |
---|
261 | } |
---|
262 | } |
---|
263 | } |
---|
264 | |
---|
265 | |
---|
266 | #### |
---|
267 | # |
---|
268 | # Functions that actually implements the exported APIs |
---|
269 | # |
---|
270 | #### |
---|
271 | |
---|
272 | |
---|
273 | # |
---|
274 | # safe::InterpCreate : doing the real job |
---|
275 | # |
---|
276 | # This procedure creates a safe slave and initializes it with the |
---|
277 | # safe base aliases. |
---|
278 | # NB: slave name must be simple alphanumeric string, no spaces, |
---|
279 | # no (), no {},... {because the state array is stored as part of the name} |
---|
280 | # |
---|
281 | # Returns the slave name. |
---|
282 | # |
---|
283 | # Optional Arguments : |
---|
284 | # + slave name : if empty, generated name will be used |
---|
285 | # + access_path: path list controlling where load/source can occur, |
---|
286 | # if empty: the master auto_path will be used. |
---|
287 | # + staticsok : flag, if 0 :no static package can be loaded (load {} Xxx) |
---|
288 | # if 1 :static packages are ok. |
---|
289 | # + nestedok: flag, if 0 :no loading to sub-sub interps (load xx xx sub) |
---|
290 | # if 1 : multiple levels are ok. |
---|
291 | |
---|
292 | # use the full name and no indent so auto_mkIndex can find us |
---|
293 | proc ::safe::InterpCreate { |
---|
294 | slave |
---|
295 | access_path |
---|
296 | staticsok |
---|
297 | nestedok |
---|
298 | deletehook |
---|
299 | } { |
---|
300 | # Create the slave. |
---|
301 | if {$slave ne ""} { |
---|
302 | ::interp create -safe $slave |
---|
303 | } else { |
---|
304 | # empty argument: generate slave name |
---|
305 | set slave [::interp create -safe] |
---|
306 | } |
---|
307 | Log $slave "Created" NOTICE |
---|
308 | |
---|
309 | # Initialize it. (returns slave name) |
---|
310 | InterpInit $slave $access_path $staticsok $nestedok $deletehook |
---|
311 | } |
---|
312 | |
---|
313 | |
---|
314 | # |
---|
315 | # InterpSetConfig (was setAccessPath) : |
---|
316 | # Sets up slave virtual auto_path and corresponding structure |
---|
317 | # within the master. Also sets the tcl_library in the slave |
---|
318 | # to be the first directory in the path. |
---|
319 | # Nb: If you change the path after the slave has been initialized |
---|
320 | # you probably need to call "auto_reset" in the slave in order that it |
---|
321 | # gets the right auto_index() array values. |
---|
322 | |
---|
323 | proc ::safe::InterpSetConfig {slave access_path staticsok\ |
---|
324 | nestedok deletehook} { |
---|
325 | |
---|
326 | # determine and store the access path if empty |
---|
327 | if {$access_path eq ""} { |
---|
328 | set access_path [uplevel \#0 set auto_path] |
---|
329 | # Make sure that tcl_library is in auto_path |
---|
330 | # and at the first position (needed by setAccessPath) |
---|
331 | set where [lsearch -exact $access_path [info library]] |
---|
332 | if {$where == -1} { |
---|
333 | # not found, add it. |
---|
334 | set access_path [concat [list [info library]] $access_path] |
---|
335 | Log $slave "tcl_library was not in auto_path,\ |
---|
336 | added it to slave's access_path" NOTICE |
---|
337 | } elseif {$where != 0} { |
---|
338 | # not first, move it first |
---|
339 | set access_path [concat [list [info library]]\ |
---|
340 | [lreplace $access_path $where $where]] |
---|
341 | Log $slave "tcl_libray was not in first in auto_path,\ |
---|
342 | moved it to front of slave's access_path" NOTICE |
---|
343 | |
---|
344 | } |
---|
345 | |
---|
346 | # Add 1st level sub dirs (will searched by auto loading from tcl |
---|
347 | # code in the slave using glob and thus fail, so we add them |
---|
348 | # here so by default it works the same). |
---|
349 | set access_path [AddSubDirs $access_path] |
---|
350 | } |
---|
351 | |
---|
352 | Log $slave "Setting accessPath=($access_path) staticsok=$staticsok\ |
---|
353 | nestedok=$nestedok deletehook=($deletehook)" NOTICE |
---|
354 | |
---|
355 | # clear old autopath if it existed |
---|
356 | set nname [PathNumberName $slave] |
---|
357 | if {[Exists $nname]} { |
---|
358 | set n [Set $nname] |
---|
359 | for {set i 0} {$i<$n} {incr i} { |
---|
360 | Unset [PathToken $i $slave] |
---|
361 | } |
---|
362 | } |
---|
363 | |
---|
364 | # build new one |
---|
365 | set slave_auto_path {} |
---|
366 | set i 0 |
---|
367 | foreach dir $access_path { |
---|
368 | Set [PathToken $i $slave] $dir |
---|
369 | lappend slave_auto_path "\$[PathToken $i]" |
---|
370 | incr i |
---|
371 | } |
---|
372 | Set $nname $i |
---|
373 | Set [PathListName $slave] $access_path |
---|
374 | Set [VirtualPathListName $slave] $slave_auto_path |
---|
375 | |
---|
376 | Set [StaticsOkName $slave] $staticsok |
---|
377 | Set [NestedOkName $slave] $nestedok |
---|
378 | Set [DeleteHookName $slave] $deletehook |
---|
379 | |
---|
380 | SyncAccessPath $slave |
---|
381 | } |
---|
382 | |
---|
383 | # |
---|
384 | # |
---|
385 | # FindInAccessPath: |
---|
386 | # Search for a real directory and returns its virtual Id |
---|
387 | # (including the "$") |
---|
388 | proc ::safe::interpFindInAccessPath {slave path} { |
---|
389 | set access_path [GetAccessPath $slave] |
---|
390 | set where [lsearch -exact $access_path $path] |
---|
391 | if {$where == -1} { |
---|
392 | return -code error "$path not found in access path $access_path" |
---|
393 | } |
---|
394 | return "\$[PathToken $where]" |
---|
395 | } |
---|
396 | |
---|
397 | # |
---|
398 | # addToAccessPath: |
---|
399 | # add (if needed) a real directory to access path |
---|
400 | # and return its virtual token (including the "$"). |
---|
401 | proc ::safe::interpAddToAccessPath {slave path} { |
---|
402 | # first check if the directory is already in there |
---|
403 | if {![catch {interpFindInAccessPath $slave $path} res]} { |
---|
404 | return $res |
---|
405 | } |
---|
406 | # new one, add it: |
---|
407 | set nname [PathNumberName $slave] |
---|
408 | set n [Set $nname] |
---|
409 | Set [PathToken $n $slave] $path |
---|
410 | |
---|
411 | set token "\$[PathToken $n]" |
---|
412 | |
---|
413 | Lappend [VirtualPathListName $slave] $token |
---|
414 | Lappend [PathListName $slave] $path |
---|
415 | Set $nname [expr {$n+1}] |
---|
416 | |
---|
417 | SyncAccessPath $slave |
---|
418 | |
---|
419 | return $token |
---|
420 | } |
---|
421 | |
---|
422 | # This procedure applies the initializations to an already existing |
---|
423 | # interpreter. It is useful when you want to install the safe base |
---|
424 | # aliases into a preexisting safe interpreter. |
---|
425 | proc ::safe::InterpInit { |
---|
426 | slave |
---|
427 | access_path |
---|
428 | staticsok |
---|
429 | nestedok |
---|
430 | deletehook |
---|
431 | } { |
---|
432 | |
---|
433 | # Configure will generate an access_path when access_path is |
---|
434 | # empty. |
---|
435 | InterpSetConfig $slave $access_path $staticsok $nestedok $deletehook |
---|
436 | |
---|
437 | # These aliases let the slave load files to define new commands |
---|
438 | |
---|
439 | # NB we need to add [namespace current], aliases are always |
---|
440 | # absolute paths. |
---|
441 | ::interp alias $slave source {} [namespace current]::AliasSource $slave |
---|
442 | ::interp alias $slave load {} [namespace current]::AliasLoad $slave |
---|
443 | |
---|
444 | # This alias lets the slave use the encoding names, convertfrom, |
---|
445 | # convertto, and system, but not "encoding system <name>" to set |
---|
446 | # the system encoding. |
---|
447 | |
---|
448 | ::interp alias $slave encoding {} [namespace current]::AliasEncoding \ |
---|
449 | $slave |
---|
450 | |
---|
451 | # This alias lets the slave have access to a subset of the 'file' |
---|
452 | # command functionality. |
---|
453 | |
---|
454 | AliasSubset $slave file file dir.* join root.* ext.* tail \ |
---|
455 | path.* split |
---|
456 | |
---|
457 | # This alias interposes on the 'exit' command and cleanly terminates |
---|
458 | # the slave. |
---|
459 | |
---|
460 | ::interp alias $slave exit {} [namespace current]::interpDelete $slave |
---|
461 | |
---|
462 | # The allowed slave variables already have been set |
---|
463 | # by Tcl_MakeSafe(3) |
---|
464 | |
---|
465 | |
---|
466 | # Source init.tcl into the slave, to get auto_load and other |
---|
467 | # procedures defined: |
---|
468 | |
---|
469 | # We don't try to use the -rsrc on the mac because it would get |
---|
470 | # confusing if you would want to customize init.tcl |
---|
471 | # for a given set of safe slaves, on all the platforms |
---|
472 | # you just need to give a specific access_path and |
---|
473 | # the mac should be no exception. As there is no |
---|
474 | # obvious full "safe ressources" design nor implementation |
---|
475 | # for the mac, safe interps there will just don't |
---|
476 | # have that ability. (A specific app can still reenable |
---|
477 | # that using custom aliases if they want to). |
---|
478 | # It would also make the security analysis and the Safe Tcl security |
---|
479 | # model platform dependant and thus more error prone. |
---|
480 | |
---|
481 | if {[catch {::interp eval $slave\ |
---|
482 | {source [file join $tcl_library init.tcl]}} msg]} { |
---|
483 | Log $slave "can't source init.tcl ($msg)" |
---|
484 | error "can't source init.tcl into slave $slave ($msg)" |
---|
485 | } |
---|
486 | |
---|
487 | return $slave |
---|
488 | } |
---|
489 | |
---|
490 | |
---|
491 | # Add (only if needed, avoid duplicates) 1 level of |
---|
492 | # sub directories to an existing path list. |
---|
493 | # Also removes non directories from the returned list. |
---|
494 | proc AddSubDirs {pathList} { |
---|
495 | set res {} |
---|
496 | foreach dir $pathList { |
---|
497 | if {[file isdirectory $dir]} { |
---|
498 | # check that we don't have it yet as a children |
---|
499 | # of a previous dir |
---|
500 | if {[lsearch -exact $res $dir]<0} { |
---|
501 | lappend res $dir |
---|
502 | } |
---|
503 | foreach sub [glob -directory $dir -nocomplain *] { |
---|
504 | if {([file isdirectory $sub]) \ |
---|
505 | && ([lsearch -exact $res $sub]<0) } { |
---|
506 | # new sub dir, add it ! |
---|
507 | lappend res $sub |
---|
508 | } |
---|
509 | } |
---|
510 | } |
---|
511 | } |
---|
512 | return $res |
---|
513 | } |
---|
514 | |
---|
515 | # This procedure deletes a safe slave managed by Safe Tcl and |
---|
516 | # cleans up associated state: |
---|
517 | |
---|
518 | proc ::safe::interpDelete {slave} { |
---|
519 | |
---|
520 | Log $slave "About to delete" NOTICE |
---|
521 | |
---|
522 | # If the slave has a cleanup hook registered, call it. |
---|
523 | # check the existance because we might be called to delete an interp |
---|
524 | # which has not been registered with us at all |
---|
525 | set hookname [DeleteHookName $slave] |
---|
526 | if {[Exists $hookname]} { |
---|
527 | set hook [Set $hookname] |
---|
528 | if {![::tcl::Lempty $hook]} { |
---|
529 | # remove the hook now, otherwise if the hook |
---|
530 | # calls us somehow, we'll loop |
---|
531 | Unset $hookname |
---|
532 | if {[catch {eval $hook [list $slave]} err]} { |
---|
533 | Log $slave "Delete hook error ($err)" |
---|
534 | } |
---|
535 | } |
---|
536 | } |
---|
537 | |
---|
538 | # Discard the global array of state associated with the slave, and |
---|
539 | # delete the interpreter. |
---|
540 | |
---|
541 | set statename [InterpStateName $slave] |
---|
542 | if {[Exists $statename]} { |
---|
543 | Unset $statename |
---|
544 | } |
---|
545 | |
---|
546 | # if we have been called twice, the interp might have been deleted |
---|
547 | # already |
---|
548 | if {[::interp exists $slave]} { |
---|
549 | ::interp delete $slave |
---|
550 | Log $slave "Deleted" NOTICE |
---|
551 | } |
---|
552 | |
---|
553 | return |
---|
554 | } |
---|
555 | |
---|
556 | # Set (or get) the loging mecanism |
---|
557 | |
---|
558 | proc ::safe::setLogCmd {args} { |
---|
559 | variable Log |
---|
560 | if {[llength $args] == 0} { |
---|
561 | return $Log |
---|
562 | } else { |
---|
563 | if {[llength $args] == 1} { |
---|
564 | set Log [lindex $args 0] |
---|
565 | } else { |
---|
566 | set Log $args |
---|
567 | } |
---|
568 | } |
---|
569 | } |
---|
570 | |
---|
571 | # internal variable |
---|
572 | variable Log {} |
---|
573 | |
---|
574 | # ------------------- END OF PUBLIC METHODS ------------ |
---|
575 | |
---|
576 | |
---|
577 | # |
---|
578 | # sets the slave auto_path to the master recorded value. |
---|
579 | # also sets tcl_library to the first token of the virtual path. |
---|
580 | # |
---|
581 | proc SyncAccessPath {slave} { |
---|
582 | set slave_auto_path [Set [VirtualPathListName $slave]] |
---|
583 | ::interp eval $slave [list set auto_path $slave_auto_path] |
---|
584 | Log $slave "auto_path in $slave has been set to $slave_auto_path"\ |
---|
585 | NOTICE |
---|
586 | ::interp eval $slave [list set tcl_library [lindex $slave_auto_path 0]] |
---|
587 | } |
---|
588 | |
---|
589 | # base name for storing all the slave states |
---|
590 | # the array variable name for slave foo is thus "Sfoo" |
---|
591 | # and for sub slave {foo bar} "Sfoo bar" (spaces are handled |
---|
592 | # ok everywhere (or should)) |
---|
593 | # We add the S prefix to avoid that a slave interp called "Log" |
---|
594 | # would smash our "Log" variable. |
---|
595 | proc InterpStateName {slave} { |
---|
596 | return "S$slave" |
---|
597 | } |
---|
598 | |
---|
599 | # Check that the given slave is "one of us" |
---|
600 | proc IsInterp {slave} { |
---|
601 | expr {[Exists [InterpStateName $slave]] && [::interp exists $slave]} |
---|
602 | } |
---|
603 | |
---|
604 | # returns the virtual token for directory number N |
---|
605 | # if the slave argument is given, |
---|
606 | # it will return the corresponding master global variable name |
---|
607 | proc PathToken {n {slave ""}} { |
---|
608 | if {$slave ne ""} { |
---|
609 | return "[InterpStateName $slave](access_path,$n)" |
---|
610 | } else { |
---|
611 | # We need to have a ":" in the token string so |
---|
612 | # [file join] on the mac won't turn it into a relative |
---|
613 | # path. |
---|
614 | return "p(:$n:)" |
---|
615 | } |
---|
616 | } |
---|
617 | # returns the variable name of the complete path list |
---|
618 | proc PathListName {slave} { |
---|
619 | return "[InterpStateName $slave](access_path)" |
---|
620 | } |
---|
621 | # returns the variable name of the complete path list |
---|
622 | proc VirtualPathListName {slave} { |
---|
623 | return "[InterpStateName $slave](access_path_slave)" |
---|
624 | } |
---|
625 | # returns the variable name of the number of items |
---|
626 | proc PathNumberName {slave} { |
---|
627 | return "[InterpStateName $slave](access_path,n)" |
---|
628 | } |
---|
629 | # returns the staticsok flag var name |
---|
630 | proc StaticsOkName {slave} { |
---|
631 | return "[InterpStateName $slave](staticsok)" |
---|
632 | } |
---|
633 | # returns the nestedok flag var name |
---|
634 | proc NestedOkName {slave} { |
---|
635 | return "[InterpStateName $slave](nestedok)" |
---|
636 | } |
---|
637 | # Run some code at the namespace toplevel |
---|
638 | proc Toplevel {args} { |
---|
639 | namespace eval [namespace current] $args |
---|
640 | } |
---|
641 | # set/get values |
---|
642 | proc Set {args} { |
---|
643 | eval [linsert $args 0 Toplevel set] |
---|
644 | } |
---|
645 | # lappend on toplevel vars |
---|
646 | proc Lappend {args} { |
---|
647 | eval [linsert $args 0 Toplevel lappend] |
---|
648 | } |
---|
649 | # unset a var/token (currently just an global level eval) |
---|
650 | proc Unset {args} { |
---|
651 | eval [linsert $args 0 Toplevel unset] |
---|
652 | } |
---|
653 | # test existance |
---|
654 | proc Exists {varname} { |
---|
655 | Toplevel info exists $varname |
---|
656 | } |
---|
657 | # short cut for access path getting |
---|
658 | proc GetAccessPath {slave} { |
---|
659 | Set [PathListName $slave] |
---|
660 | } |
---|
661 | # short cut for statics ok flag getting |
---|
662 | proc StaticsOk {slave} { |
---|
663 | Set [StaticsOkName $slave] |
---|
664 | } |
---|
665 | # short cut for getting the multiples interps sub loading ok flag |
---|
666 | proc NestedOk {slave} { |
---|
667 | Set [NestedOkName $slave] |
---|
668 | } |
---|
669 | # interp deletion storing hook name |
---|
670 | proc DeleteHookName {slave} { |
---|
671 | return [InterpStateName $slave](cleanupHook) |
---|
672 | } |
---|
673 | |
---|
674 | # |
---|
675 | # translate virtual path into real path |
---|
676 | # |
---|
677 | proc TranslatePath {slave path} { |
---|
678 | # somehow strip the namespaces 'functionality' out (the danger |
---|
679 | # is that we would strip valid macintosh "../" queries... : |
---|
680 | if {[regexp {(::)|(\.\.)} $path]} { |
---|
681 | error "invalid characters in path $path" |
---|
682 | } |
---|
683 | set n [expr {[Set [PathNumberName $slave]]-1}] |
---|
684 | for {} {$n>=0} {incr n -1} { |
---|
685 | # fill the token virtual names with their real value |
---|
686 | set [PathToken $n] [Set [PathToken $n $slave]] |
---|
687 | } |
---|
688 | # replaces the token by their value |
---|
689 | subst -nobackslashes -nocommands $path |
---|
690 | } |
---|
691 | |
---|
692 | |
---|
693 | # Log eventually log an error |
---|
694 | # to enable error logging, set Log to {puts stderr} for instance |
---|
695 | proc Log {slave msg {type ERROR}} { |
---|
696 | variable Log |
---|
697 | if {[info exists Log] && [llength $Log]} { |
---|
698 | eval $Log [list "$type for slave $slave : $msg"] |
---|
699 | } |
---|
700 | } |
---|
701 | |
---|
702 | |
---|
703 | # file name control (limit access to files/ressources that should be |
---|
704 | # a valid tcl source file) |
---|
705 | proc CheckFileName {slave file} { |
---|
706 | # This used to limit what can be sourced to ".tcl" and forbid files |
---|
707 | # with more than 1 dot and longer than 14 chars, but I changed that |
---|
708 | # for 8.4 as a safe interp has enough internal protection already |
---|
709 | # to allow sourcing anything. - hobbs |
---|
710 | |
---|
711 | if {![file exists $file]} { |
---|
712 | # don't tell the file path |
---|
713 | error "no such file or directory" |
---|
714 | } |
---|
715 | |
---|
716 | if {![file readable $file]} { |
---|
717 | # don't tell the file path |
---|
718 | error "not readable" |
---|
719 | } |
---|
720 | } |
---|
721 | |
---|
722 | |
---|
723 | # AliasSource is the target of the "source" alias in safe interpreters. |
---|
724 | |
---|
725 | proc AliasSource {slave args} { |
---|
726 | |
---|
727 | set argc [llength $args] |
---|
728 | # Allow only "source filename" |
---|
729 | # (and not mac specific -rsrc for instance - see comment in ::init |
---|
730 | # for current rationale) |
---|
731 | if {$argc != 1} { |
---|
732 | set msg "wrong # args: should be \"source fileName\"" |
---|
733 | Log $slave "$msg ($args)" |
---|
734 | return -code error $msg |
---|
735 | } |
---|
736 | set file [lindex $args 0] |
---|
737 | |
---|
738 | # get the real path from the virtual one. |
---|
739 | if {[catch {set file [TranslatePath $slave $file]} msg]} { |
---|
740 | Log $slave $msg |
---|
741 | return -code error "permission denied" |
---|
742 | } |
---|
743 | |
---|
744 | # check that the path is in the access path of that slave |
---|
745 | if {[catch {FileInAccessPath $slave $file} msg]} { |
---|
746 | Log $slave $msg |
---|
747 | return -code error "permission denied" |
---|
748 | } |
---|
749 | |
---|
750 | # do the checks on the filename : |
---|
751 | if {[catch {CheckFileName $slave $file} msg]} { |
---|
752 | Log $slave "$file:$msg" |
---|
753 | return -code error $msg |
---|
754 | } |
---|
755 | |
---|
756 | # passed all the tests , lets source it: |
---|
757 | if {[catch {::interp invokehidden $slave source $file} msg]} { |
---|
758 | Log $slave $msg |
---|
759 | return -code error "script error" |
---|
760 | } |
---|
761 | return $msg |
---|
762 | } |
---|
763 | |
---|
764 | # AliasLoad is the target of the "load" alias in safe interpreters. |
---|
765 | |
---|
766 | proc AliasLoad {slave file args} { |
---|
767 | |
---|
768 | set argc [llength $args] |
---|
769 | if {$argc > 2} { |
---|
770 | set msg "load error: too many arguments" |
---|
771 | Log $slave "$msg ($argc) {$file $args}" |
---|
772 | return -code error $msg |
---|
773 | } |
---|
774 | |
---|
775 | # package name (can be empty if file is not). |
---|
776 | set package [lindex $args 0] |
---|
777 | |
---|
778 | # Determine where to load. load use a relative interp path |
---|
779 | # and {} means self, so we can directly and safely use passed arg. |
---|
780 | set target [lindex $args 1] |
---|
781 | if {$target ne ""} { |
---|
782 | # we will try to load into a sub sub interp |
---|
783 | # check that we want to authorize that. |
---|
784 | if {![NestedOk $slave]} { |
---|
785 | Log $slave "loading to a sub interp (nestedok)\ |
---|
786 | disabled (trying to load $package to $target)" |
---|
787 | return -code error "permission denied (nested load)" |
---|
788 | } |
---|
789 | |
---|
790 | } |
---|
791 | |
---|
792 | # Determine what kind of load is requested |
---|
793 | if {$file eq ""} { |
---|
794 | # static package loading |
---|
795 | if {$package eq ""} { |
---|
796 | set msg "load error: empty filename and no package name" |
---|
797 | Log $slave $msg |
---|
798 | return -code error $msg |
---|
799 | } |
---|
800 | if {![StaticsOk $slave]} { |
---|
801 | Log $slave "static packages loading disabled\ |
---|
802 | (trying to load $package to $target)" |
---|
803 | return -code error "permission denied (static package)" |
---|
804 | } |
---|
805 | } else { |
---|
806 | # file loading |
---|
807 | |
---|
808 | # get the real path from the virtual one. |
---|
809 | if {[catch {set file [TranslatePath $slave $file]} msg]} { |
---|
810 | Log $slave $msg |
---|
811 | return -code error "permission denied" |
---|
812 | } |
---|
813 | |
---|
814 | # check the translated path |
---|
815 | if {[catch {FileInAccessPath $slave $file} msg]} { |
---|
816 | Log $slave $msg |
---|
817 | return -code error "permission denied (path)" |
---|
818 | } |
---|
819 | } |
---|
820 | |
---|
821 | if {[catch {::interp invokehidden\ |
---|
822 | $slave load $file $package $target} msg]} { |
---|
823 | Log $slave $msg |
---|
824 | return -code error $msg |
---|
825 | } |
---|
826 | |
---|
827 | return $msg |
---|
828 | } |
---|
829 | |
---|
830 | # FileInAccessPath raises an error if the file is not found in |
---|
831 | # the list of directories contained in the (master side recorded) slave's |
---|
832 | # access path. |
---|
833 | |
---|
834 | # the security here relies on "file dirname" answering the proper |
---|
835 | # result.... needs checking ? |
---|
836 | proc FileInAccessPath {slave file} { |
---|
837 | |
---|
838 | set access_path [GetAccessPath $slave] |
---|
839 | |
---|
840 | if {[file isdirectory $file]} { |
---|
841 | error "\"$file\": is a directory" |
---|
842 | } |
---|
843 | set parent [file dirname $file] |
---|
844 | |
---|
845 | # Normalize paths for comparison since lsearch knows nothing of |
---|
846 | # potential pathname anomalies. |
---|
847 | set norm_parent [file normalize $parent] |
---|
848 | foreach path $access_path { |
---|
849 | lappend norm_access_path [file normalize $path] |
---|
850 | } |
---|
851 | |
---|
852 | if {[lsearch -exact $norm_access_path $norm_parent] == -1} { |
---|
853 | error "\"$file\": not in access_path" |
---|
854 | } |
---|
855 | } |
---|
856 | |
---|
857 | # This procedure enables access from a safe interpreter to only a subset of |
---|
858 | # the subcommands of a command: |
---|
859 | |
---|
860 | proc Subset {slave command okpat args} { |
---|
861 | set subcommand [lindex $args 0] |
---|
862 | if {[regexp $okpat $subcommand]} { |
---|
863 | return [eval [linsert $args 0 $command]] |
---|
864 | } |
---|
865 | set msg "not allowed to invoke subcommand $subcommand of $command" |
---|
866 | Log $slave $msg |
---|
867 | error $msg |
---|
868 | } |
---|
869 | |
---|
870 | # This procedure installs an alias in a slave that invokes "safesubset" |
---|
871 | # in the master to execute allowed subcommands. It precomputes the pattern |
---|
872 | # of allowed subcommands; you can use wildcards in the pattern if you wish |
---|
873 | # to allow subcommand abbreviation. |
---|
874 | # |
---|
875 | # Syntax is: AliasSubset slave alias target subcommand1 subcommand2... |
---|
876 | |
---|
877 | proc AliasSubset {slave alias target args} { |
---|
878 | set pat ^(; set sep "" |
---|
879 | foreach sub $args { |
---|
880 | append pat $sep$sub |
---|
881 | set sep | |
---|
882 | } |
---|
883 | append pat )\$ |
---|
884 | ::interp alias $slave $alias {}\ |
---|
885 | [namespace current]::Subset $slave $target $pat |
---|
886 | } |
---|
887 | |
---|
888 | # AliasEncoding is the target of the "encoding" alias in safe interpreters. |
---|
889 | |
---|
890 | proc AliasEncoding {slave args} { |
---|
891 | |
---|
892 | set argc [llength $args] |
---|
893 | |
---|
894 | set okpat "^(name.*|convert.*)\$" |
---|
895 | set subcommand [lindex $args 0] |
---|
896 | |
---|
897 | if {[regexp $okpat $subcommand]} { |
---|
898 | return [eval [linsert $args 0 \ |
---|
899 | ::interp invokehidden $slave encoding]] |
---|
900 | } |
---|
901 | |
---|
902 | if {[string first $subcommand system] == 0} { |
---|
903 | if {$argc == 1} { |
---|
904 | # passed all the tests , lets source it: |
---|
905 | if {[catch {::interp invokehidden \ |
---|
906 | $slave encoding system} msg]} { |
---|
907 | Log $slave $msg |
---|
908 | return -code error "script error" |
---|
909 | } |
---|
910 | } else { |
---|
911 | set msg "wrong # args: should be \"encoding system\"" |
---|
912 | Log $slave $msg |
---|
913 | error $msg |
---|
914 | } |
---|
915 | } else { |
---|
916 | set msg "wrong # args: should be \"encoding option ?arg ...?\"" |
---|
917 | Log $slave $msg |
---|
918 | error $msg |
---|
919 | } |
---|
920 | |
---|
921 | return $msg |
---|
922 | } |
---|
923 | |
---|
924 | } |
---|