Information in the safe interpreter should never be trusted for security purposes. However, because Tk initialization in the safe interpreter uses local information, it is unsafe if the safe interpreter could have gained control before Tk is loaded. This will be fixed in an upcoming release, by making Tk initialization in a safe interpreter use only information found in the interpreter's master.
You should therefore use safe::loadTk $slave as soon as possible after safe::interpCreate and before any code is evaluated in the safe interpreter. The preferred sequence is:
set slave [::safe::loadTk [::safe::interpCreate]]If you want to prevent safe interpreters from loading Tk entirely, you should create the interpreter as follows:
::safe::interpCreate -nostatics -accesspath {directories...}and you must also insure that the virtual access path directories for the interpreter does not contain a dynamically loadable version of Tk.
::safe::loadTk adds the value of tk_library taken from the master interpreter to the virtual access path of the safe interpreter so that auto-loading will work in the safe interpreter. It also sets env(DISPLAY) in the safe interpreter to the value of env(DISPLAY) in the master interpreter, if it exists. Finally, it sets the slave's Tcl variable argv to -use windowId in the safe interpreter. When -use is not used, the new toplevel created is specially decorated so the user is always aware that the user interface presented comes from a potentially unsafe code and can easilly delete the corresponding interpreter.
Copyright © 1995-1996 Sun Microsystems, Inc. Copyright © 1995-1997 Roger E. Critchlow Jr.