OpenCores
URL https://opencores.org/ocsvn/or1k_old/or1k_old/trunk

Subversion Repositories or1k_old

[/] [or1k_old/] [trunk/] [insight/] [tcl/] [doc/] [interp.n] - Blame information for rev 1782

Details | Compare with Previous | View Log

Line No. Rev Author Line
1 578 markom 
'\"
2 
'\" Copyright (c) 1995-1996 Sun Microsystems, Inc.
3 
'\"
4 
'\" See the file "license.terms" for information on usage and redistribution
5 
'\" of this file, and for a DISCLAIMER OF ALL WARRANTIES.
6 
'\"
7 
'\" RCS: @(#) $Id: interp.n,v 1.1.1.1 2002-01-16 10:25:24 markom Exp $
8 
'\"
9 
.so man.macros
10 
.TH interp n 7.6 Tcl "Tcl Built-In Commands"
11 
.BS
12 
'\" Note:  do not modify the .SH NAME line immediately below!
13 
.SH NAME
14 
interp \- Create and manipulate Tcl interpreters
15 
.SH SYNOPSIS
16 
\fBinterp \fIoption \fR?\fIarg arg ...\fR?
17 
.BE
18 
 
19 
.SH DESCRIPTION
20 
.PP
21 
This command makes it possible to create one or more new Tcl
22 
interpreters that co-exist with the creating interpreter in the
23 
same application.  The creating interpreter is called the \fImaster\fR
24 
and the new interpreter is called a \fIslave\fR.
25 
A master can create any number of slaves, and each slave can
26 
itself create additional slaves for which it is master, resulting
27 
in a hierarchy of interpreters.
28 
.PP
29 
Each interpreter is independent from the others: it has its own name
30 
space for commands, procedures, and global variables.
31 
A master interpreter may create connections between its slaves and
32 
itself using a mechanism called an \fIalias\fR.  An \fIalias\fR is
33 
a command in a slave interpreter which, when invoked, causes a
34 
command to be invoked in its master interpreter or in another slave
35 
interpreter.  The only other connections between interpreters are
36 
through environment variables (the \fBenv\fR variable), which are
37 
normally shared among all interpreters in the application. Note that the
38 
name space for files (such as the names returned by the \fBopen\fR command)
39 
is no longer shared between interpreters. Explicit commands are provided to
40 
share files and to transfer references to open files from one interpreter
41 
to another.
42 
.PP
43 
The \fBinterp\fR command also provides support for \fIsafe\fR
44 
interpreters.  A safe interpreter is a slave whose functions have
45 
been greatly restricted, so that it is safe to execute untrusted
46 
scripts without fear of them damaging other interpreters or the
47 
application's environment. For example, all IO channel creation
48 
commands and subprocess creation commands are made inaccessible to safe
49 
interpreters.
50 
.VS
51 
See SAFE INTERPRETERS below for more information on
52 
what features are present in a safe interpreter.
53 
The dangerous functionality is not removed from the safe interpreter;
54 
instead, it is \fIhidden\fR, so that only trusted interpreters can obtain
55 
access to it. For a detailed explanation of hidden commands, see
56 
HIDDEN COMMANDS, below.
57 
The alias mechanism can be used for protected communication (analogous to a
58 
kernel call) between a slave interpreter and its master. See ALIAS
59 
INVOCATION, below, for more details on how the alias mechanism works.
60 
.VE
61 
.PP
62 
A qualified interpreter name is a proper Tcl lists containing a subset of its
63 
ancestors in the interpreter hierarchy, terminated by the string naming the
64 
interpreter in its immediate master. Interpreter names are relative to the
65 
interpreter in which they are used. For example, if \fBa\fR is a slave of
66 
the current interpreter and it has a slave \fBa1\fR, which in turn has a
67 
slave \fBa11\fR, the qualified name of \fBa11\fR in \fBa\fR is the list
68 
\fBa1 a11\fR.
69 
.PP
70 
The \fBinterp\fR command, described below, accepts qualified interpreter
71 
names as arguments; the interpreter in which the command is being evaluated
72 
can always be referred to as \fB{}\fR (the empty list or string). Note that
73 
it is impossible to refer to a master (ancestor) interpreter by name in a
74 
slave interpreter except through aliases. Also, there is no global name by
75 
which one can refer to the first interpreter created in an application.
76 
Both restrictions are motivated by safety concerns.
77 
 
78 
.VS
79 
.SH "THE INTERP COMMAND"
80 
.PP
81 
.VE
82 
The \fBinterp\fR command is used to create, delete, and manipulate
83 
slave interpreters, and to share or transfer
84 
channels between interpreters.  It can have any of several forms, depending
85 
on the \fIoption\fR argument:
86 
.TP
87 
\fBinterp\fR \fBalias\fR \fIsrcPath\fR \fIsrcCmd\fR
88 
Returns a Tcl list whose elements are the \fItargetCmd\fR and
89 
\fIarg\fRs associated with the alias named \fIsrcCmd\fR
90 
(all of these are the values specified when the alias was
91 
created; it is possible that the actual source command in the
92 
slave is different from \fIsrcCmd\fR if it was renamed).
93 
.TP
94 
\fBinterp\fR \fBalias\fR \fIsrcPath\fR \fIsrcCmd\fR \fB{}\fR
95 
Deletes the alias for \fIsrcCmd\fR in the slave interpreter identified by
96 
\fIsrcPath\fR.
97 
\fIsrcCmd\fR refers to the name under which the alias
98 
was created;  if the source command has been renamed, the renamed
99 
command will be deleted.
100 
.TP
101 
\fBinterp\fR \fBalias\fR \fIsrcPath\fR \fIsrcCmd\fR \fItargetPath\fR \fItargetCmd \fR?\fIarg arg ...\fR?
102 
This command creates an alias between one slave and another (see the
103 
\fBalias\fR slave command below for creating aliases between a slave
104 
and its master).  In this command, either of the slave interpreters
105 
may be anywhere in the hierarchy of interpreters under the interpreter
106 
invoking the command.
107 
\fISrcPath\fR and \fIsrcCmd\fR identify the source of the alias.
108 
\fISrcPath\fR is a Tcl list whose elements select a particular
109 
interpreter.  For example, ``\fBa b\fR'' identifies an interpreter
110 
\fBb\fR, which is a slave of interpreter \fBa\fR, which is a slave
111 
of the invoking interpreter.  An empty list specifies the interpreter
112 
invoking the command.  \fIsrcCmd\fR gives the name of a new
113 
command, which will be created in the source interpreter.
114 
\fITargetPath\fR and \fItargetCmd\fR specify a target interpreter
115 
and command, and the \fIarg\fR arguments, if any, specify additional
116 
arguments to \fItargetCmd\fR which are prepended to any arguments specified
117 
in the invocation of \fIsrcCmd\fR.
118 
\fITargetCmd\fR may be undefined at the time of this call, or it may
119 
already exist; it is not created by this command.
120 
The alias arranges for the given target command to be invoked
121 
in the target interpreter whenever the given source command is
122 
invoked in the source interpreter.  See ALIAS INVOCATION below for
123 
more details.
124 
.TP
125 
\fBinterp\fR \fBaliases \fR?\fIpath\fR?
126 
This command returns a Tcl list of the names of all the source commands for
127 
aliases defined in the interpreter identified by \fIpath\fR.
128 
.TP
129 
\fBinterp\fR \fBcreate \fR?\fB\-safe\fR? ?\fB\-\|\-\fR? ?\fIpath\fR?
130 
Creates a slave interpreter identified by \fIpath\fR and a new command,
131 
called a \fIslave command\fR. The name of the slave command is the last
132 
component of \fIpath\fR. The new slave interpreter and the slave command
133 
are created in the interpreter identified by the path obtained by removing
134 
the last component from \fIpath\fR. For example, if \fIpath is \fBa b
135 
c\fR then a new slave interpreter and slave command named \fBc\fR are
136 
created in the interpreter identified by the path \fBa b\fR.
137 
The slave command may be used to manipulate the new interpreter as
138 
described below. If \fIpath\fR is omitted, Tcl creates a unique name of the
139 
form \fBinterp\fIx\fR, where \fIx\fR is an integer, and uses it for the
140 
interpreter and the slave command. If the \fB\-safe\fR switch is specified
141 
(or if the master interpreter is a safe interpreter), the new slave
142 
interpreter will be created as a safe interpreter with limited
143 
functionality; otherwise the slave will include the full set of Tcl
144 
built-in commands and variables. The \fB\-\|\-\fR switch can be used to
145 
mark the end of switches;  it may be needed if \fIpath\fR is an unusual
146 
value such as \fB\-safe\fR. The result of the command is the name of the
147 
new interpreter. The name of a slave interpreter must be unique among all
148 
the slaves for its master;  an error occurs if a slave interpreter by the
149 
given name already exists in this master.
150 
.TP
151 
\fBinterp\fR \fBdelete \fR?\fIpath ...?\fR
152 
Deletes zero or more interpreters given by the optional \fIpath\fR
153 
arguments, and for each interpreter, it also deletes its slaves. The
154 
command also deletes the slave command for each interpreter deleted.
155 
For each \fIpath\fR argument, if no interpreter by that name
156 
exists, the command raises an error.
157 
.TP
158 
\fBinterp\fR \fBeval\fR \fIpath arg \fR?\fIarg ...\fR?
159 
This command concatenates all of the \fIarg\fR arguments in the same
160 
fashion as the \fBconcat\fR command, then evaluates the resulting string as
161 
a Tcl script in the slave interpreter identified by \fIpath\fR. The result
162 
of this evaluation (including error information such as the \fBerrorInfo\fR
163 
and \fBerrorCode\fR variables, if an error occurs) is returned to the
164 
invoking interpreter.
165 
.TP
166 
\fBinterp exists \fIpath\fR
167 
Returns  \fB1\fR if a slave interpreter by the specified \fIpath\fR
168 
exists in this master, \fB0\fR otherwise. If \fIpath\fR is omitted, the
169 
invoking interpreter is used.
170 
.VS "" BR
171 
.TP
172 
\fBinterp expose \fIpath\fR \fIhiddenName\fR ?\fIexposedCmdName\fR?
173 
Makes the hidden command \fIhiddenName\fR exposed, eventually bringing
174 
it back under a new \fIexposedCmdName\fR name (this name is currently
175 
accepted only if it is a valid global name space name without any ::),
176 
in the interpreter
177 
denoted by \fIpath\fR.
178 
If an exposed command with the targetted name already exists, this command
179 
fails.
180 
Hidden commands are explained in more detail in HIDDEN COMMANDS, below.
181 
.TP
182 
\fBinterp\fR \fBhide\fR \fIpath\fR \fIexposedCmdName\fR ?\fIhiddenCmdName\fR?
183 
Makes the exposed command \fIexposedCmdName\fR hidden, renaming
184 
it to the hidden command \fIhiddenCmdName\fR, or keeping the same name if
185 
\fIhiddenCmdName\fR is not given, in the interpreter denoted
186 
by \fIpath\fR.
187 
If a hidden command with the targetted name already exists, this command
188 
fails.
189 
Currently both \fIexposedCmdName\fR and \fIhiddenCmdName\fR can
190 
not contain namespace qualifiers, or an error is raised.
191 
Commands to be hidden by \fBinterp hide\fR are looked up in the global
192 
namespace even if the current namespace is not the global one. This
193 
prevents slaves from fooling a master interpreter into hiding the wrong
194 
command, by making the current namespace be different from the global one.
195 
Hidden commands are explained in more detail in HIDDEN COMMANDS, below.
196 
.TP
197 
\fBinterp\fR \fBhidden\fR \fIpath\fR
198 
Returns a list of the names of all hidden commands in the interpreter
199 
identified by \fIpath\fR.
200 
.TP
201 
\fBinterp\fR \fBinvokehidden\fR \fIpath\fR ?\fB-global\fR? \fIhiddenCmdName\fR ?\fIarg ...\fR?
202 
Invokes the hidden command \fIhiddenCmdName\fR with the arguments supplied
203 
in the interpreter denoted by \fIpath\fR. No substitutions or evaluation
204 
are applied to the arguments.
205 
If the \fB-global\fR flag is present, the hidden command is invoked at the
206 
global level in the target interpreter; otherwise it is invoked at the
207 
current call frame and can access local variables in that and outer call
208 
frames.
209 
Hidden commands are explained in more detail in HIDDEN COMMANDS, below.
210 
.VE
211 
.TP
212 
\fBinterp issafe\fR ?\fIpath\fR?
213 
Returns \fB1\fR if the interpreter identified by the specified \fIpath\fR
214 
is safe, \fB0\fR otherwise.
215 
.VS "" BR
216 
.TP
217 
\fBinterp marktrusted\fR \fIpath\fR
218 
Marks the interpreter identified by \fIpath\fR as trusted. Does
219 
not expose the hidden commands. This command can only be invoked from a
220 
trusted interpreter.
221 
The command has no effect if the interpreter identified by \fIpath\fR is
222 
already trusted.
223 
.VE
224 
.TP
225 
\fBinterp\fR \fBshare\fR \fIsrcPath channelId destPath\fR
226 
Causes the IO channel identified by \fIchannelId\fR to become shared
227 
between the interpreter identified by \fIsrcPath\fR and the interpreter
228 
identified by \fIdestPath\fR. Both interpreters have the same permissions
229 
on the IO channel.
230 
Both interpreters must close it to close the underlying IO channel; IO
231 
channels accessible in an interpreter are automatically closed when an
232 
interpreter is destroyed.
233 
.TP
234 
\fBinterp\fR \fBslaves\fR ?\fIpath\fR?
235 
Returns a Tcl list of the names of all the slave interpreters associated
236 
with the interpreter identified by \fIpath\fR. If \fIpath\fR is omitted,
237 
the invoking interpreter is used.
238 
.TP
239 
\fBinterp\fR \fBtarget\fR \fIpath alias\fR
240 
Returns a Tcl list describing the target interpreter for an alias. The
241 
alias is specified with an interpreter path and source command name, just
242 
as in \fBinterp alias\fR above. The name of the target interpreter is
243 
returned as an interpreter path, relative to the invoking interpreter.
244 
If the target interpreter for the alias is the invoking interpreter then an
245 
empty list is returned. If the target interpreter for the alias is not the
246 
invoking interpreter or one of its descendants then an error is generated.
247 
The target command does not have to be defined at the time of this invocation.
248 
.TP
249 
\fBinterp\fR \fBtransfer\fR \fIsrcPath channelId destPath\fR
250 
Causes the IO channel identified by \fIchannelId\fR to become available in
251 
the interpreter identified by \fIdestPath\fR and unavailable in the
252 
interpreter identified by \fIsrcPath\fR.
253 
 
254 
.SH "SLAVE COMMAND"
255 
.PP
256 
For each slave interpreter created with the \fBinterp\fR command, a
257 
new Tcl command is created in the master interpreter with the same
258 
name as the new interpreter. This command may be used to invoke
259 
various operations on the interpreter.  It has the following
260 
general form:
261 
.CS
262 
\fIslave command \fR?\fIarg arg ...\fR?
263 
.CE
264 
\fISlave\fR is the name of the interpreter, and \fIcommand\fR
265 
and the \fIarg\fRs determine the exact behavior of the command.
266 
The valid forms of this command are:
267 
.TP
268 
\fIslave \fBaliases\fR
269 
Returns a Tcl list whose elements are the names of all the
270 
aliases in \fIslave\fR.  The names returned are the \fIsrcCmd\fR
271 
values used when the aliases were created (which may not be the same
272 
as the current names of the commands, if they have been
273 
renamed).
274 
.TP
275 
\fIslave \fBalias \fIsrcCmd\fR
276 
Returns a Tcl list whose elements are the \fItargetCmd\fR and
277 
\fIarg\fRs associated with the alias named \fIsrcCmd\fR
278 
(all of these are the values specified when the alias was
279 
created; it is possible that the actual source command in the
280 
slave is different from \fIsrcCmd\fR if it was renamed).
281 
.TP
282 
\fIslave \fBalias \fIsrcCmd \fB{}\fR
283 
Deletes the alias for \fIsrcCmd\fR in the slave interpreter.
284 
\fIsrcCmd\fR refers to the name under which the alias
285 
was created;  if the source command has been renamed, the renamed
286 
command will be deleted.
287 
.TP
288 
\fIslave \fBalias \fIsrcCmd targetCmd \fR?\fIarg ..\fR?
289 
Creates an alias such that whenever \fIsrcCmd\fR is invoked
290 
in \fIslave\fR, \fItargetCmd\fR is invoked in the master.
291 
The \fIarg\fR arguments will be passed to \fItargetCmd\fR as additional
292 
arguments, prepended before any arguments passed in the invocation of
293 
\fIsrcCmd\fR.
294 
See ALIAS INVOCATION below for details.
295 
.TP
296 
\fIslave \fBeval \fIarg \fR?\fIarg ..\fR?
297 
This command concatenates all of the \fIarg\fR arguments in
298 
the same fashion as the \fBconcat\fR command, then evaluates
299 
the resulting string as a Tcl script in \fIslave\fR.
300 
The result of this evaluation (including error information
301 
such as the \fBerrorInfo\fR and \fBerrorCode\fR variables, if an
302 
error occurs) is returned to the invoking interpreter.
303 
.VS "" BR
304 
.TP
305 
\fIslave \fBexpose \fIhiddenName \fR?\fIexposedCmdName\fR?
306 
This command exposes the hidden command \fIhiddenName\fR, eventually bringing
307 
it back under a new \fIexposedCmdName\fR name (this name is currently
308 
accepted only if it is a valid global name space name without any ::),
309 
in \fIslave\fR.
310 
If an exposed command with the targetted name already exists, this command
311 
fails.
312 
For more details on hidden commands, see HIDDEN COMMANDS, below.
313 
.TP
314 
\fIslave \fBhide \fIexposedCmdName\fR ?\fIhiddenCmdName\fR?
315 
This command hides the exposed command \fIexposedCmdName\fR, renaming it to
316 
the hidden command \fIhiddenCmdName\fR, or keeping the same name if the
317 
the argument is not given, in the \fIslave\fR interpreter.
318 
If a hidden command with the targetted name already exists, this command
319 
fails.
320 
Currently both \fIexposedCmdName\fR and \fIhiddenCmdName\fR can
321 
not contain namespace qualifiers, or an error is raised.
322 
Commands to be hidden are looked up in the global
323 
namespace even if the current namespace is not the global one. This
324 
prevents slaves from fooling a master interpreter into hiding the wrong
325 
command, by making the current namespace be different from the global one.
326 
For more details on hidden commands, see HIDDEN COMMANDS, below.
327 
.TP
328 
\fIslave \fBhidden\fR
329 
Returns a list of the names of all hidden commands in \fIslave\fR.
330 
.TP
331 
\fIslave \fBinvokehidden\fR ?\fB-global\fR \fIhiddenName \fR?\fIarg ..\fR?
332 
This command invokes the hidden command \fIhiddenName\fR with the
333 
supplied arguments, in \fIslave\fR. No substitutions or evaluations are
334 
applied to the arguments.
335 
If the \fB-global\fR flag is given, the command is invoked at the global
336 
level in the slave; otherwise it is invoked at the current call frame and
337 
can access local variables in that or outer call frames.
338 
For more details on hidden commands, see HIDDEN
339 
COMMANDS, below.
340 
.VE
341 
.TP
342 
\fIslave \fBissafe\fR
343 
Returns  \fB1\fR if the slave interpreter is safe, \fB0\fR otherwise.
344 
.VS "" BR
345 
.TP
346 
\fIslave \fBmarktrusted\fR
347 
Marks the slave interpreter as trusted. Can only be invoked by a
348 
trusted interpreter. This command does not expose any hidden
349 
commands in the slave interpreter. The command has no effect if the slave
350 
is already trusted.
351 
.VE
352 
 
353 
.SH "SAFE INTERPRETERS"
354 
.PP
355 
A safe interpreter is one with restricted functionality, so that
356 
is safe to execute an arbitrary script from your worst enemy without
357 
fear of that script damaging the enclosing application or the rest
358 
of your computing environment.  In order to make an interpreter
359 
safe, certain commands and variables are removed from the interpreter.
360 
For example, commands to create files on disk are removed, and the
361 
\fBexec\fR command is removed, since it could be used to cause damage
362 
through subprocesses.
363 
Limited access to these facilities can be provided, by creating
364 
aliases to the master interpreter which check their arguments carefully
365 
and provide restricted access to a safe subset of facilities.
366 
For example, file creation might be allowed in a particular subdirectory
367 
and subprocess invocation might be allowed for a carefully selected and
368 
fixed set of programs.
369 
.PP
370 
A safe interpreter is created by specifying the \fB\-safe\fR switch
371 
to the \fBinterp create\fR command.  Furthermore, any slave created
372 
by a safe interpreter will also be safe.
373 
.PP
374 
A safe interpreter is created with exactly the following set of
375 
built-in commands:
376 
.DS
377 
.ta 1.2i 2.4i 3.6i
378 
\fBafter        append  array   break
379 
case    catch   clock   close
380 
concat  continue        eof     error
381 
eval    expr    fblocked        fileevent
382 
flush   for     foreach format
383 
gets    global  history if
384 
incr    info    interp  join
385 
lappend lindex  linsert list
386 
llength lower   lrange  lreplace
387 
lsearch lsort   package pid
388 
proc    puts    read    rename
389 
return  scan    seek    set
390 
split   string  subst   switch
391 
tell    trace   unset   update
392 
uplevel upvar   vwait   while\fR
393 
.DE
394 
.VS ""  BR
395 
The following commands are hidden by \fBinterp create\fR when it
396 
creates a safe interpreter:
397 
.DS
398 
.ta 1.2i 2.4i 3.6i
399 
\fBcd   exec    exit    fconfigure
400 
file    glob    load    open
401 
pwd     socket  source  vwait\fR
402 
.DE
403 
These commands can be recreated later as Tcl procedures or aliases, or
404 
re-exposed by \fBinterp expose\fR.
405 
.VE
406 
.PP
407 
In addition, the \fBenv\fR variable is not present in a safe interpreter,
408 
so it cannot share environment variables with other interpreters. The
409 
\fBenv\fR variable poses a security risk, because users can store
410 
sensitive information in an environment variable. For example, the PGP
411 
manual recommends storing the PGP private key protection password in
412 
the environment variable \fIPGPPASS\fR. Making this variable available
413 
to untrusted code executing in a safe interpreter would incur a
414 
security risk.
415 
.PP
416 
If extensions are loaded into a safe interpreter, they may also restrict
417 
their own functionality to eliminate unsafe commands. For a discussion of
418 
management of extensions for safety see the manual entries for
419 
\fBSafe\-Tcl\fR and the \fBload\fR Tcl command.
420 
 
421 
.SH "ALIAS INVOCATION"
422 
.PP
423 
The alias mechanism has been carefully designed so that it can
424 
be used safely when an untrusted script is executing
425 
in a safe slave and the target of the alias is a trusted
426 
master.  The most important thing in guaranteeing safety is to
427 
ensure that information passed from the slave to the master is
428 
never evaluated or substituted in the master;  if this were to
429 
occur, it would enable an evil script in the slave to invoke
430 
arbitrary functions in the master, which would compromise security.
431 
.PP
432 
When the source for an alias is invoked in the slave interpreter, the
433 
usual Tcl substitutions are performed when parsing that command.
434 
These substitutions are carried out in the source interpreter just
435 
as they would be for any other command invoked in that interpreter.
436 
The command procedure for the source command takes its arguments
437 
and merges them with the \fItargetCmd\fR and \fIarg\fRs for the
438 
alias to create a new array of arguments.  If the words
439 
of \fIsrcCmd\fR were ``\fIsrcCmd arg1 arg2 ... argN\fR'',
440 
the new set of words will be
441 
``\fItargetCmd arg arg ... arg arg1 arg2 ... argN\fR'',
442 
where \fItargetCmd\fR and \fIarg\fRs are the values supplied when the
443 
alias was created.  \fITargetCmd\fR is then used to locate a command
444 
procedure in the target interpreter, and that command procedure
445 
is invoked with the new set of arguments.  An error occurs if
446 
there is no command named \fItargetCmd\fR in the target interpreter.
447 
No additional substitutions are performed on the words:  the
448 
target command procedure is invoked directly, without
449 
going through the normal Tcl evaluation mechanism.
450 
Substitutions are thus performed on each word exactly once:
451 
\fItargetCmd\fR and \fIargs\fR were substituted when parsing the command
452 
that created the alias, and \fIarg1 - argN\fR are substituted when
453 
the alias's source command is parsed in the source interpreter.
454 
.PP
455 
When writing the \fItargetCmd\fRs for aliases in safe interpreters,
456 
it is very important that the arguments to that command never be
457 
evaluated or substituted, since this would provide an escape
458 
mechanism whereby the slave interpreter could execute arbitrary
459 
code in the master.  This in turn would compromise the security
460 
of the system.
461 
 
462 
.VS
463 
.SH "HIDDEN COMMANDS"
464 
.PP
465 
Safe interpreters greatly restrict the functionality available to Tcl
466 
programs executing within them.
467 
Allowing the untrusted Tcl program to have direct access to this
468 
functionality is unsafe, because it can be used for a variety of
469 
attacks on the environment.
470 
However, there are times when there is a legitimate need to use the
471 
dangerous functionality in the context of the safe interpreter. For
472 
example, sometimes a program must be \fBsource\fRd into the interpreter.
473 
Another example is Tk, where windows are bound to the hierarchy of windows
474 
for a specific interpreter; some potentially dangerous functions, e.g.
475 
window management, must be performed on these windows within the
476 
interpreter context.
477 
.PP
478 
The \fBinterp\fR command provides a solution to this problem in the form of
479 
\fIhidden commands\fR. Instead of removing the dangerous commands entirely
480 
from a safe interpreter, these commands are hidden so they become
481 
unavailable to Tcl scripts executing in the interpreter. However, such
482 
hidden commands can be invoked by any trusted ancestor of the safe
483 
interpreter, in the context of the safe interpreter, using \fBinterp
484 
invoke\fR. Hidden commands and exposed commands reside in separate name
485 
spaces. It is possible to define a hidden command and an exposed command by
486 
the same name within one interpreter.
487 
.PP
488 
Hidden commands in a slave interpreter can be invoked in the body of
489 
procedures called in the master during alias invocation. For example, an
490 
alias for \fBsource\fR could be created in a slave interpreter. When it is
491 
invoked in the slave interpreter, a procedure is called in the master
492 
interpreter to check that the operation is allowable (e.g. it asks to
493 
source a file that the slave interpreter is allowed to access). The
494 
procedure then it invokes the hidden \fBsource\fR command in the slave
495 
interpreter to actually source in the contents of the file. Note that two
496 
commands named \fBsource\fR exist in the slave interpreter: the alias, and
497 
the hidden command.
498 
.PP
499 
Because a master interpreter may invoke a hidden command as part of
500 
handling an alias invocation, great care must be taken to avoid evaluating
501 
any arguments passed in through the alias invocation.
502 
Otherwise, malicious slave interpreters could cause a trusted master
503 
interpreter to execute dangerous commands on their behalf. See the section
504 
on ALIAS INVOCATION for a more complete discussion of this topic.
505 
To help avoid this problem, no substitutions or evaluations are
506 
applied to arguments of \fBinterp invokehidden\fR.
507 
.PP
508 
Safe interpreters are not allowed to invoke hidden commands in themselves
509 
or in their descendants. This prevents safe slaves from gaining access to
510 
hidden functionality in themselves or their descendants.
511 
.PP
512 
The set of hidden commands in an interpreter can be manipulated by a trusted
513 
interpreter using \fBinterp expose\fR and \fBinterp hide\fR. The \fBinterp
514 
expose\fR command moves a hidden command to the
515 
set of exposed commands in the interpreter identified by \fIpath\fR,
516 
potentially renaming the command in the process. If an exposed command by
517 
the targetted name already exists, the operation fails. Similarly,
518 
\fBinterp hide\fR moves an exposed command to the set of hidden commands in
519 
that interpreter. Safe interpreters are not allowed to move commands
520 
between the set of hidden and exposed commands, in either themselves or
521 
their descendants.
522 
.PP
523 
Currently, the names of hidden commands cannot contain namespace
524 
qualifiers, and you must first rename a command in a namespace to the
525 
global namespace before you can hide it.
526 
Commands to be hidden by \fBinterp hide\fR are looked up in the global
527 
namespace even if the current namespace is not the global one. This
528 
prevents slaves from fooling a master interpreter into hiding the wrong
529 
command, by making the current namespace be different from the global one.
530 
.VE
531 
.SH CREDITS
532 
.PP
533 
This mechanism is based on the Safe-Tcl prototype implemented
534 
by Nathaniel Borenstein and Marshall Rose.
535 
 
536 
.SH "SEE ALSO"
537 
load(n), safe(n), Tcl_CreateSlave(3)
538 
 
539 
.SH KEYWORDS
540 
alias, master interpreter, safe interpreter, slave interpreter

powered by: WebSVN 2.1.0

© copyright 1999-2024 OpenCores.org, equivalent to Oliscience, all rights reserved. OpenCores®, registered trademark.