From 643c7a2aa4c7b5cb1412a098ecacd72dc5f09aac Mon Sep 17 00:00:00 2001
From: dkf <donal.k.fellows@manchester.ac.uk>
Date: Mon, 26 Sep 2011 10:46:36 +0000
Subject: Make [file] itself be safe, to reduce breakage in existing code. [Bug
 3211758]

---
 ChangeLog          |  7 +++++++
 generic/tclCmdAH.c | 11 +++++++++++
 tests/safe.test    | 16 ++++++++++++++++
 3 files changed, 34 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index ecac917..9673852 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-09-26  Donal K. Fellows  <dkf@users.sf.net>
+
+	* generic/tclCmdAH.c (TclMakeFileCommandSafe): [Bug 3211758]: Also
+	make the main [file] command hidden by default in safe interpreters,
+	because that's what existing code expects. This will reduce the amount
+	which the code breaks, but not necessarily eliminate it...
+
 2011-09-23  Don Porter  <dgp@users.sourceforge.net>
 
 	* generic/tclIORTrans.c: More revisions to get finalization of
diff --git a/generic/tclCmdAH.c b/generic/tclCmdAH.c
index fc9d39d..d036bd6 100644
--- a/generic/tclCmdAH.c
+++ b/generic/tclCmdAH.c
@@ -1063,6 +1063,17 @@ TclMakeFileCommandSafe(
     }
     Tcl_DStringFree(&oldBuf);
     Tcl_DStringFree(&newBuf);
+
+    /*
+     * Ugh. The [file] command is now actually safe, but it is assumed by
+     * scripts that it is not, which messes up security policies. [Bug
+     * 3211758]
+     */
+
+    if (Tcl_HideCommand(interp, "file", "file") != TCL_OK) {
+	Tcl_Panic("problem making 'file' safe: %s",
+		Tcl_GetString(Tcl_GetObjResult(interp)));
+    }
     return TCL_OK;
 }
 
diff --git a/tests/safe.test b/tests/safe.test
index 0f82a6a..4190976 100644
--- a/tests/safe.test
+++ b/tests/safe.test
@@ -541,6 +541,22 @@ test safe-12.7 {glob is restricted} -setup {
 } -cleanup {
     safe::interpDelete $i
 } -match glob -result *
+
+test safe-13.1 {safe file ensemble does not surprise code} -setup {
+    set i [interp create -safe]
+} -body {
+    set result [expr {"file" in [interp hidden $i]}]
+    lappend result [interp eval $i {tcl::file::split a/b/c}]
+    lappend result [catch {interp eval $i {tcl::file::isdirectory .}}]
+    lappend result [interp invokehidden $i file split a/b/c]
+    lappend result [catch {interp eval $i {file split a/b/c}} msg] $msg
+    lappend result [catch {interp invokehidden $i file isdirectory .}]
+    interp expose $i file
+    lappend result [catch {interp eval $i {file split a/b/c}} msg] $msg
+    lappend result [catch {interp eval $i {file isdirectory .}} msg] $msg
+} -cleanup {
+    interp delete $i
+} -result {1 {a b c} 1 {a b c} 1 {invalid command name "file"} 1 0 {a b c} 1 {invalid command name "::tcl::file::isdirectory"}}
 
 set ::auto_path $saveAutoPath
 # cleanup
-- 
cgit v0.12