Viewing file:  safetk.tcl (7.35 KB) -rw-r--r--
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
# safetk.tcl --
#
# Support procs to use Tk in safe interpreters.
#
# RCS: @(#) $Id: safetk.tcl,v 1.8.8.1 2006/01/25 18:21:41 dgp Exp $
#
# Copyright (c) 1997 Sun Microsystems, Inc.
#
# See the file "license.terms" for information on usage and redistribution
# of this file, and for a DISCLAIMER OF ALL WARRANTIES.
# see safetk.n for documentation
#
#
# Note: It is now ok to let untrusted code being executed
# between the creation of the interp and the actual loading
# of Tk in that interp because the C side Tk_Init will
# now look up the master interp and ask its safe::TkInit
# for the actual parameters to use for it's initialization (if allowed),
# not relying on the slave state.
#
# We use opt (optional arguments parsing)
package require opt 0.4.1;
namespace eval ::safe {
# counter for safe toplevels
variable tkSafeId 0;
#
# tkInterpInit : prepare the slave interpreter for tk loading
# most of the real job is done by loadTk
# returns the slave name (tkInterpInit does)
#
proc ::safe::tkInterpInit {slave argv} {
global env tk_library
# We have to make sure that the tk_library variable uses a file
# pathname that works better in Tk (of the style returned by
# [file join], ie C:/path/to/tk/lib, not C:\path\to\tk\lib
set tk_library [file join $tk_library]
# Clear Tk's access for that interp (path).
allowTk $slave $argv
# there seems to be an obscure case where the tk_library
# variable value is changed to point to a sym link destination
# dir instead of the sym link itself, and thus where the $tk_library
# would then not be anymore one of the auto_path dir, so we use
# the addToAccessPath which adds if it's not already in instead
# of the more conventional findInAccessPath.
# Might be usefull for masters without Tk really loaded too.
::interp eval $slave [list set tk_library [::safe::interpAddToAccessPath $slave $tk_library]]
return $slave
}
# tkInterpLoadTk :
# Do additional configuration as needed (calling tkInterpInit)
# and actually load Tk into the slave.
#
# Either contained in the specified windowId (-use) or
# creating a decorated toplevel for it.
# empty definition for auto_mkIndex
proc ::safe::loadTk {} {}
::tcl::OptProc loadTk {
{slave -interp "name of the slave interpreter"}
{-use -windowId {} "window Id to use (new toplevel otherwise)"}
{-display -displayName {} "display name to use (current one otherwise)"}
} {
set displayGiven [::tcl::OptProcArgGiven "-display"]
if {!$displayGiven} {
# Try to get the current display from "."
# (which might not exist if the master is tk-less)
if {[catch {set display [winfo screen .]}]} {
if {[info exists ::env(DISPLAY)]} {
set display $::env(DISPLAY)
} else {
Log $slave "no winfo screen . nor env(DISPLAY)" WARNING
set display ":0.0"
}
}
}
if {![::tcl::OptProcArgGiven "-use"]} {
# create a decorated toplevel
::tcl::Lassign [tkTopLevel $slave $display] w use
# set our delete hook (slave arg is added by interpDelete)
# to clean up both window related code and tkInit(slave)
Set [DeleteHookName $slave] [list tkDelete {} $w]
} else {
# set our delete hook (slave arg is added by interpDelete)
# to clean up tkInit(slave)
Set [DeleteHookName $slave] [list disallowTk]
# Let's be nice and also accept tk window names instead of ids
if {[string match ".*" $use]} {
set windowName $use
set use [winfo id $windowName]
set nDisplay [winfo screen $windowName]
} else {
# Check for a better -display value
# (works only for multi screens on single host, but not
# cross hosts, for that a tk window name would be better
# but embeding is also usefull for non tk names)
if {![catch {winfo pathname $use} name]} {
set nDisplay [winfo screen $name]
} else {
# Can't have a better one
set nDisplay $display
}
}
if {$nDisplay ne $display} {
if {$displayGiven} {
error "conflicting -display $display and -use\
$use -> $nDisplay"
} else {
set display $nDisplay
}
}
}
# Prepares the slave for tk with those parameters
tkInterpInit $slave [list "-use" $use "-display" $display]
load {} Tk $slave
return $slave
}
proc ::safe::TkInit {interpPath} {
variable tkInit
if {[info exists tkInit($interpPath)]} {
set value $tkInit($interpPath)
Log $interpPath "TkInit called, returning \"$value\"" NOTICE
return $value
} else {
Log $interpPath "TkInit called for interp with clearance:\
preventing Tk init" ERROR
error "not allowed"
}
}
# safe::allowTk --
#
# Set tkInit(interpPath) to allow Tk to be initialized in
# safe::TkInit.
#
# Arguments:
# interpPath slave interpreter handle
# argv arguments passed to safe::TkInterpInit
#
# Results:
# none.
proc ::safe::allowTk {interpPath argv} {
variable tkInit
set tkInit($interpPath) $argv
return
}
# safe::disallowTk --
#
# Unset tkInit(interpPath) to disallow Tk from getting initialized
# in safe::TkInit.
#
# Arguments:
# interpPath slave interpreter handle
#
# Results:
# none.
proc ::safe::disallowTk {interpPath} {
variable tkInit
# This can already be deleted by the DeleteHook of the interp
if {[info exists tkInit($interpPath)]} {
unset tkInit($interpPath)
}
return
}
# safe::tkDelete --
#
# Clean up the window associated with the interp being deleted.
#
# Arguments:
# interpPath slave interpreter handle
#
# Results:
# none.
proc ::safe::tkDelete {W window slave} {
# we are going to be called for each widget... skip untill it's
# top level
Log $slave "Called tkDelete $W $window" NOTICE
if {[::interp exists $slave]} {
if {[catch {::safe::interpDelete $slave} msg]} {
Log $slave "Deletion error : $msg"
}
}
if {[winfo exists $window]} {
Log $slave "Destroy toplevel $window" NOTICE
destroy $window
}
# clean up tkInit(slave)
disallowTk $slave
return
}
proc ::safe::tkTopLevel {slave display} {
variable tkSafeId
incr tkSafeId
set w ".safe$tkSafeId"
if {[catch {toplevel $w -screen $display -class SafeTk} msg]} {
return -code error "Unable to create toplevel for\
safe slave \"$slave\" ($msg)"
}
Log $slave "New toplevel $w" NOTICE
set msg "Untrusted Tcl applet ($slave)"
wm title $w $msg
# Control frame
set wc $w.fc
frame $wc -bg red -borderwidth 3 -relief ridge
# We will destroy the interp when the window is destroyed
bindtags $wc [concat Safe$wc [bindtags $wc]]
bind Safe$wc <Destroy> [list ::safe::tkDelete %W $w $slave]
label $wc.l -text $msg -padx 2 -pady 0 -anchor w
# We want the button to be the last visible item
# (so be packed first) and at the right and not resizing horizontally
# frame the button so it does not expand horizontally
# but still have the default background instead of red one from the parent
frame $wc.fb -bd 0
button $wc.fb.b -text "Delete" \
-bd 1 -padx 2 -pady 0 -highlightthickness 0 \
-command [list ::safe::tkDelete $w $w $slave]
pack $wc.fb.b -side right -fill both
pack $wc.fb -side right -fill both -expand 1
pack $wc.l -side left -fill both -expand 1
pack $wc -side bottom -fill x
# Container frame
frame $w.c -container 1
pack $w.c -fill both -expand 1
# return both the toplevel window name and the id to use for embedding
list $w [winfo id $w.c]
}
}
|