diff options
author | dkf <donal.k.fellows@manchester.ac.uk> | 2011-09-26 10:46:36 (GMT) |
---|---|---|
committer | dkf <donal.k.fellows@manchester.ac.uk> | 2011-09-26 10:46:36 (GMT) |
commit | 643c7a2aa4c7b5cb1412a098ecacd72dc5f09aac (patch) | |
tree | fefa07fe0a7c1d24f6f787f9521de1b302a1e4b3 | |
parent | e3352567a2a3af2547b61485e6b91c0efd03533b (diff) | |
download | tcl-643c7a2aa4c7b5cb1412a098ecacd72dc5f09aac.zip tcl-643c7a2aa4c7b5cb1412a098ecacd72dc5f09aac.tar.gz tcl-643c7a2aa4c7b5cb1412a098ecacd72dc5f09aac.tar.bz2 |
Make [file] itself be safe, to reduce breakage in existing code. [Bug 3211758]
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | generic/tclCmdAH.c | 11 | ||||
-rw-r--r-- | tests/safe.test | 16 |
3 files changed, 34 insertions, 0 deletions
@@ -1,3 +1,10 @@ +2011-09-26 Donal K. Fellows <dkf@users.sf.net> + + * generic/tclCmdAH.c (TclMakeFileCommandSafe): [Bug 3211758]: Also + make the main [file] command hidden by default in safe interpreters, + because that's what existing code expects. This will reduce the amount + which the code breaks, but not necessarily eliminate it... + 2011-09-23 Don Porter <dgp@users.sourceforge.net> * generic/tclIORTrans.c: More revisions to get finalization of diff --git a/generic/tclCmdAH.c b/generic/tclCmdAH.c index fc9d39d..d036bd6 100644 --- a/generic/tclCmdAH.c +++ b/generic/tclCmdAH.c @@ -1063,6 +1063,17 @@ TclMakeFileCommandSafe( } Tcl_DStringFree(&oldBuf); Tcl_DStringFree(&newBuf); + + /* + * Ugh. The [file] command is now actually safe, but it is assumed by + * scripts that it is not, which messes up security policies. [Bug + * 3211758] + */ + + if (Tcl_HideCommand(interp, "file", "file") != TCL_OK) { + Tcl_Panic("problem making 'file' safe: %s", + Tcl_GetString(Tcl_GetObjResult(interp))); + } return TCL_OK; } diff --git a/tests/safe.test b/tests/safe.test index 0f82a6a..4190976 100644 --- a/tests/safe.test +++ b/tests/safe.test @@ -541,6 +541,22 @@ test safe-12.7 {glob is restricted} -setup { } -cleanup { safe::interpDelete $i } -match glob -result * + +test safe-13.1 {safe file ensemble does not surprise code} -setup { + set i [interp create -safe] +} -body { + set result [expr {"file" in [interp hidden $i]}] + lappend result [interp eval $i {tcl::file::split a/b/c}] + lappend result [catch {interp eval $i {tcl::file::isdirectory .}}] + lappend result [interp invokehidden $i file split a/b/c] + lappend result [catch {interp eval $i {file split a/b/c}} msg] $msg + lappend result [catch {interp invokehidden $i file isdirectory .}] + interp expose $i file + lappend result [catch {interp eval $i {file split a/b/c}} msg] $msg + lappend result [catch {interp eval $i {file isdirectory .}} msg] $msg +} -cleanup { + interp delete $i +} -result {1 {a b c} 1 {a b c} 1 {invalid command name "file"} 1 0 {a b c} 1 {invalid command name "::tcl::file::isdirectory"}} set ::auto_path $saveAutoPath # cleanup |