1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
'\"
'\" Copyright (c) 1995-1996 Sun Microsystems, Inc.
'\"
'\" See the file "license.terms" for information on usage and redistribution
'\" of this file, and for a DISCLAIMER OF ALL WARRANTIES.
'\"
'\" SCCS: @(#) loadTk.n 1.5 97/08/18 17:44:43
'\"
.so man.macros
.TH "Safe Tk" n 8.0 Tk "Tk Built-In Commands"
.BS
'\" Note: do not modify the .SH NAME line immediately below!
.SH NAME
loadTk \- Load Tk into a safe interpreter.
.SH SYNOPSIS
\fB::safe::loadTk \fIslave\fR ?\fB\-use\fR \fIwindowId\fR?
.BE
Safe Tk is based on Safe Tcl, which provides a mechanism
that allows restricted and mediated
access to auto-loading and packages for safe interpreters.
Safe Tk adds the ability to configure the interpreter
for safe Tk operations and load Tk into safe
interpreters.
.SH DESCRIPTION
.PP
The \fB::safe::loadTk\fR command initializes the required data structures
in the named safe interpreter and then loads Tk into it.
The command returns the name of the safe interpreter.
If \fB\-use\fR is specified, the window identified by the specified system
dependent identifier \fIwindowId\fR is used to contain the \fB``.''\fR
window of the safe interpreter; it can be any valid id, eventually
referencing a window belonging to another application.
Otherwise, a new toplevel window is created for the \fB``.''\fR window of
the safe interpreter.
See the \fBSECURITY ISSUES\fR section below for implementation details.
.SH SECURITY ISSUES
.PP
Please read the \fBsafe\fR manual page for Tcl to learn about the basic
security considerations for Safe Tcl.
.PP
Information in the safe interpreter should never be trusted for security
purposes.
However, because Tk initialization of the safe interpreter do use
local information, it is unsafe if the safe interpreter
could have gained control before Tk is loaded.
This will be fixed in an upcoming release, by making Tk initialization in a
safe interpreter use only information found in the interpreter's master
instead of relying on the (un)safe interpreter state.
.PP
You should therefore use \fBsafe::loadTk $slave\fR as soon as possible
after \fBsafe::interpCreate\fR and before any code is evaluated in the safe
interpreter.
The preferred sequence is:
.CS
set slave [::safe::loadTk [::safe::interpCreate]]
.CE
If you want to prevent safe interpreters from loading Tk entirely, you
should create the interpreter as follows:
.CS
::safe::interpCreate \-nostatics \-accesspath \fI{directories...}\fR
.CE
and you must also insure that the virtual access path \fIdirectories\fR for
the interpreter does not contain a dynamically loadable version of Tk.
.PP
\fB::safe::loadTk\fR adds the value of \fBtk_library\fR taken from the master
interpreter to the virtual access path of the safe interpreter so that
auto-loading will work in the safe interpreter.
It also sets \fBenv(DISPLAY)\fR in the safe interpreter to the value of
\fBenv(DISPLAY)\fR in the master interpreter, if it exists.
Finally, it sets the slave's Tcl variable \fBargv\fR to \fB\-use\fR
\fIwindowId\fR in the safe interpreter.
When \fB\-use\fR is not used, the new toplevel created is specially
decorated so the user is always aware that the user interface presented comes
from a potentially unsafe code and can easily delete the corresponding
interpreter.
.SH "SEE ALSO"
safe(n), interp(n), library(n), load(n), package(n), source(n), unknown(n)
.SH KEYWORDS
alias, auto\-loading, auto_mkindex, load, master interpreter, safe
interpreter, slave interpreter, source
|
