NAME

loadTk - Loads Tk into a safe interpreter.

SYNOPSIS

::safe::loadTk slave ?-use windowId?
Safe Tk is based on Safe Tcl which provides a mechanism that allows restricted and mediated access to auto-loading and packages for safe interpreters. Safe Tk adds the ability to configure the interpreter for safe Tk operations and load Tk into safe interpreters.

DESCRIPTION

The ::safe::loadTk command initializes the required data structures in the named safe interpreter and then loads Tk into it. The command returns the name of the safe interpreter. If -use is specified, the window identified by the specified system dependent identifier windowId is used to contain the ``.'' window of the safe interpreter. Otherwise, a new toplevel window is created for the ``.'' window of the safe interpreter. See the SECURITY ISSUES section below for implementation details.

SECURITY ISSUES

Please read the safe manual page for Tcl to learn about the basic security considerations for Safe Tcl.

Information in the safe interpreter should never be trusted for security purposes. However, because Tk initialization in the safe interpreter uses local information, it is unsafe if the safe interpreter could have gained control before Tk is loaded. This will be fixed in an upcoming release, by making Tk initialization in a safe interpreter use only information found in the interpreter's master.

You should therefore use safe::loadTk $slave as soon as possible after safe::interpCreate and before any code is evaluated in the safe interpreter. The preferred sequence is:

set slave [::safe::loadTk [::safe::interpCreate]]
If you want to prevent safe interpreters from loading Tk entirely, you should create the interpreter as follows:
::safe::interpCreate -nostatics -accesspath {directories...}
and you must also insure that the virtual access path directories for the interpreter does not contain a dynamically loadable version of Tk.

::safe::loadTk adds the value of tk_library taken from the master interpreter to the virtual access path of the safe interpreter so that auto-loading will work in the safe interpreter. It also sets env(DISPLAY) in the safe interpreter to the value of env(DISPLAY) in the master interpreter, if it exists. Finally, it sets the slave's Tcl variable argv to -use windowId in the safe interpreter. When -use is not used, the new toplevel created is specially decorated so the user is always aware that the user interface presented comes from a potentially unsafe code and can easilly delete the corresponding interpreter.

SEE ALSO

safe, interp, library, load, package, source, unknown

KEYWORDS

alias, auto-loading, auto_mkindex, load, master interpreter, safe interpreter, slave interpreter, source
Copyright © 1995-1996 Sun Microsystems, Inc.
Copyright © 1995-1997 Roger E. Critchlow Jr.