summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordkf <donal.k.fellows@manchester.ac.uk>2011-09-26 10:46:36 (GMT)
committerdkf <donal.k.fellows@manchester.ac.uk>2011-09-26 10:46:36 (GMT)
commit643c7a2aa4c7b5cb1412a098ecacd72dc5f09aac (patch)
treefefa07fe0a7c1d24f6f787f9521de1b302a1e4b3
parente3352567a2a3af2547b61485e6b91c0efd03533b (diff)
downloadtcl-643c7a2aa4c7b5cb1412a098ecacd72dc5f09aac.zip
tcl-643c7a2aa4c7b5cb1412a098ecacd72dc5f09aac.tar.gz
tcl-643c7a2aa4c7b5cb1412a098ecacd72dc5f09aac.tar.bz2
Make [file] itself be safe, to reduce breakage in existing code. [Bug 3211758]
-rw-r--r--ChangeLog7
-rw-r--r--generic/tclCmdAH.c11
-rw-r--r--tests/safe.test16
3 files changed, 34 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index ecac917..9673852 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-09-26 Donal K. Fellows <dkf@users.sf.net>
+
+ * generic/tclCmdAH.c (TclMakeFileCommandSafe): [Bug 3211758]: Also
+ make the main [file] command hidden by default in safe interpreters,
+ because that's what existing code expects. This will reduce the amount
+ which the code breaks, but not necessarily eliminate it...
+
2011-09-23 Don Porter <dgp@users.sourceforge.net>
* generic/tclIORTrans.c: More revisions to get finalization of
diff --git a/generic/tclCmdAH.c b/generic/tclCmdAH.c
index fc9d39d..d036bd6 100644
--- a/generic/tclCmdAH.c
+++ b/generic/tclCmdAH.c
@@ -1063,6 +1063,17 @@ TclMakeFileCommandSafe(
}
Tcl_DStringFree(&oldBuf);
Tcl_DStringFree(&newBuf);
+
+ /*
+ * Ugh. The [file] command is now actually safe, but it is assumed by
+ * scripts that it is not, which messes up security policies. [Bug
+ * 3211758]
+ */
+
+ if (Tcl_HideCommand(interp, "file", "file") != TCL_OK) {
+ Tcl_Panic("problem making 'file' safe: %s",
+ Tcl_GetString(Tcl_GetObjResult(interp)));
+ }
return TCL_OK;
}
diff --git a/tests/safe.test b/tests/safe.test
index 0f82a6a..4190976 100644
--- a/tests/safe.test
+++ b/tests/safe.test
@@ -541,6 +541,22 @@ test safe-12.7 {glob is restricted} -setup {
} -cleanup {
safe::interpDelete $i
} -match glob -result *
+
+test safe-13.1 {safe file ensemble does not surprise code} -setup {
+ set i [interp create -safe]
+} -body {
+ set result [expr {"file" in [interp hidden $i]}]
+ lappend result [interp eval $i {tcl::file::split a/b/c}]
+ lappend result [catch {interp eval $i {tcl::file::isdirectory .}}]
+ lappend result [interp invokehidden $i file split a/b/c]
+ lappend result [catch {interp eval $i {file split a/b/c}} msg] $msg
+ lappend result [catch {interp invokehidden $i file isdirectory .}]
+ interp expose $i file
+ lappend result [catch {interp eval $i {file split a/b/c}} msg] $msg
+ lappend result [catch {interp eval $i {file isdirectory .}} msg] $msg
+} -cleanup {
+ interp delete $i
+} -result {1 {a b c} 1 {a b c} 1 {invalid command name "file"} 1 0 {a b c} 1 {invalid command name "::tcl::file::isdirectory"}}
set ::auto_path $saveAutoPath
# cleanup