From 9d34b872ced6c6713cf84f914f11a017ecd2cd49 Mon Sep 17 00:00:00 2001 From: "jan.nijtmans" Date: Fri, 25 Sep 2020 11:09:08 +0000 Subject: When sourcing script files (even when simulating that through open|read), always set -eofchar \032 just like the source command does. Possible security issue: this could make it possible to evaluate hidden content at the end of pkgIndex files. --- library/auto.tcl | 2 ++ library/init.tcl | 1 + 2 files changed, 3 insertions(+) diff --git a/library/auto.tcl b/library/auto.tcl index 6cb09b6..32a5f52 100644 --- a/library/auto.tcl +++ b/library/auto.tcl @@ -248,6 +248,7 @@ proc auto_mkindex_old {dir args} { set f "" set error [catch { set f [open $file] + fconfigure $f -eofchar \032 while {[gets $f line] >= 0} { if {[regexp {^proc[ ]+([^ ]*)} $line match procName]} { set procName [lindex [auto_qualify $procName "::"] 0] @@ -351,6 +352,7 @@ proc auto_mkindex_parser::mkindex {file} { set scriptFile $file set fid [open $file] + fconfigure $fid -eofchar \032 set contents [read $fid] close $fid diff --git a/library/init.tcl b/library/init.tcl index 0a5e71b..6e4cf89 100644 --- a/library/init.tcl +++ b/library/init.tcl @@ -501,6 +501,7 @@ proc auto_load_index {} { continue } else { set error [catch { + fconfigure $f -eofchar \032 set id [gets $f] if {$id eq "# Tcl autoload index file, version 2.0"} { eval [read $f] -- cgit v0.12