3 # Support procs to use Tk in safe interpreters.
5 # RCS: @(#) $Id: safetk.tcl,v 1.8.8.1 2006/01/25 18:21:41 dgp Exp $
7 # Copyright (c) 1997 Sun Microsystems, Inc.
9 # See the file "license.terms" for information on usage and redistribution
10 # of this file, and for a DISCLAIMER OF ALL WARRANTIES.
12 # see safetk.n for documentation
16 # Note: It is now ok to let untrusted code being executed
17 # between the creation of the interp and the actual loading
18 # of Tk in that interp because the C side Tk_Init will
19 # now look up the master interp and ask its safe::TkInit
20 # for the actual parameters to use for it's initialization (if allowed),
21 # not relying on the slave state.
24 # We use opt (optional arguments parsing)
25 package require opt
0.4.1;
27 namespace eval ::safe {
29 # counter for safe toplevels
33 # tkInterpInit : prepare the slave interpreter for tk loading
34 # most of the real job is done by loadTk
35 # returns the slave name (tkInterpInit does)
37 proc ::safe::tkInterpInit {slave argv
} {
40 # We have to make sure that the tk_library variable uses a file
41 # pathname that works better in Tk (of the style returned by
42 # [file join], ie C:/path/to/tk/lib, not C:\path\to\tk\lib
43 set tk_library
[file join $tk_library]
45 # Clear Tk's access for that interp (path).
48 # there seems to be an obscure case where the tk_library
49 # variable value is changed to point to a sym link destination
50 # dir instead of the sym link itself, and thus where the $tk_library
51 # would then not be anymore one of the auto_path dir, so we use
52 # the addToAccessPath which adds if it's not already in instead
53 # of the more conventional findInAccessPath.
54 # Might be usefull for masters without Tk really loaded too.
55 ::interp eval $slave [list set tk_library
[::safe::interpAddToAccessPath $slave $tk_library]]
61 # Do additional configuration as needed (calling tkInterpInit)
62 # and actually load Tk into the slave.
64 # Either contained in the specified windowId (-use) or
65 # creating a decorated toplevel for it.
67 # empty definition for auto_mkIndex
68 proc ::safe::loadTk {} {}
70 ::tcl::OptProc loadTk {
71 {slave
-interp "name of the slave interpreter"}
72 {-use -windowId {} "window Id to use (new toplevel otherwise)"}
73 {-display -displayName {} "display name to use (current one otherwise)"}
75 set displayGiven
[::tcl::OptProcArgGiven "-display"]
78 # Try to get the current display from "."
79 # (which might not exist if the master is tk-less)
81 if {[catch {set display
[winfo screen .
]}]} {
82 if {[info exists
::env(DISPLAY
)]} {
83 set display
$::env(DISPLAY
)
85 Log
$slave "no winfo screen . nor env(DISPLAY)" WARNING
90 if {![::tcl::OptProcArgGiven "-use"]} {
92 # create a decorated toplevel
94 ::tcl::Lassign [tkTopLevel
$slave $display] w use
96 # set our delete hook (slave arg is added by interpDelete)
97 # to clean up both window related code and tkInit(slave)
98 Set
[DeleteHookName
$slave] [list tkDelete
{} $w]
102 # set our delete hook (slave arg is added by interpDelete)
103 # to clean up tkInit(slave)
105 Set
[DeleteHookName
$slave] [list disallowTk
]
107 # Let's be nice and also accept tk window names instead of ids
109 if {[string match
".*" $use]} {
111 set use
[winfo id
$windowName]
112 set nDisplay
[winfo screen
$windowName]
115 # Check for a better -display value
116 # (works only for multi screens on single host, but not
117 # cross hosts, for that a tk window name would be better
118 # but embeding is also usefull for non tk names)
120 if {![catch {winfo pathname
$use} name
]} {
121 set nDisplay
[winfo screen
$name]
124 # Can't have a better one
126 set nDisplay
$display
129 if {$nDisplay ne
$display} {
131 error "conflicting -display $display and -use\
134 set display
$nDisplay
139 # Prepares the slave for tk with those parameters
141 tkInterpInit
$slave [list "-use" $use "-display" $display]
148 proc ::safe::TkInit {interpPath
} {
150 if {[info exists tkInit
($interpPath)]} {
151 set value
$tkInit($interpPath)
152 Log
$interpPath "TkInit called, returning \"$value\"" NOTICE
155 Log
$interpPath "TkInit called for interp with clearance:\
156 preventing Tk init" ERROR
163 # Set tkInit(interpPath) to allow Tk to be initialized in
167 # interpPath slave interpreter handle
168 # argv arguments passed to safe::TkInterpInit
173 proc ::safe::allowTk {interpPath argv
} {
175 set tkInit
($interpPath) $argv
180 # safe::disallowTk --
182 # Unset tkInit(interpPath) to disallow Tk from getting initialized
186 # interpPath slave interpreter handle
191 proc ::safe::disallowTk {interpPath
} {
193 # This can already be deleted by the DeleteHook of the interp
194 if {[info exists tkInit
($interpPath)]} {
195 unset tkInit
($interpPath)
203 # Clean up the window associated with the interp being deleted.
206 # interpPath slave interpreter handle
211 proc ::safe::tkDelete {W window slave
} {
213 # we are going to be called for each widget... skip untill it's
216 Log
$slave "Called tkDelete $W $window" NOTICE
217 if {[::interp exists
$slave]} {
218 if {[catch {::safe::interpDelete $slave} msg
]} {
219 Log
$slave "Deletion error : $msg"
222 if {[winfo exists
$window]} {
223 Log
$slave "Destroy toplevel $window" NOTICE
227 # clean up tkInit(slave)
232 proc ::safe::tkTopLevel {slave display
} {
235 set w
".safe$tkSafeId"
236 if {[catch {toplevel $w -screen $display -class SafeTk
} msg
]} {
237 return -code error "Unable to create toplevel for\
238 safe slave \"$slave\" ($msg)"
240 Log
$slave "New toplevel $w" NOTICE
242 set msg
"Untrusted Tcl applet ($slave)"
247 frame $wc -bg red
-borderwidth 3 -relief ridge
249 # We will destroy the interp when the window is destroyed
250 bindtags $wc [concat Safe$wc [bindtags $wc]]
251 bind Safe$wc <Destroy
> [list ::safe::tkDelete %W
$w $slave]
253 label $wc.l
-text $msg -padx 2 -pady 0 -anchor w
255 # We want the button to be the last visible item
256 # (so be packed first) and at the right and not resizing horizontally
258 # frame the button so it does not expand horizontally
259 # but still have the default background instead of red one from the parent
261 button $wc.fb.b
-text "Delete" \
262 -bd 1 -padx 2 -pady 0 -highlightthickness 0 \
263 -command [list ::safe::tkDelete $w $w $slave]
264 pack $wc.fb.b
-side right
-fill both
265 pack $wc.fb
-side right
-fill both
-expand 1
266 pack $wc.l
-side left
-fill both
-expand 1
267 pack $wc -side bottom
-fill x
270 frame $w.c
-container 1
271 pack $w.c
-fill both
-expand 1
273 # return both the toplevel window name and the id to use for embedding
274 list $w [winfo id
$w.c
]