[Arjen Markus] (8 november 2022) During today's monthly meeting, we discussed the possibility to have a Tcl playground on the Wiki with the effect of allowing users to enter Tcl commands and whole programs but also to run Tk programs. There was one concern in particular: the security of such a feature. A malevolent user could use it to connect to some server and have the poor Wiki molest that server (to put it in dramatic terms). Solution: use a safe interpreter. But does that allow a benevolent user to run Tk?
I did some experimenting and failed so far. The Wiki does suggest using the `::safe::loadTk` command, but that does not work:
======
$ tclsh chktk.tcl
can't read "state(access_path,remap)": no such element in array
while executing
"dict exists $state(access_path,remap) $path"
(procedure "::safe::interpAddToAccessPath" line 7)
invoked from within
"::safe::interpAddToAccessPath $child $tk_library"
(procedure "tkInterpInit" line 11)
invoked from within
"tkInterpInit $child [list "-use" $use "-display" $display]"
(procedure "::safe::loadTk" line 59)
invoked from within
"::safe::loadTk $safeinterp -display :0.0"
(file "chktk.tcl" line 13)
======
I tried it on plain Windows and on Cygwin with and without the -display option, but got the same result.
The contents of the small script:
======tcl
# chktk.tcl --
# I want to run Tk in a safe interpreter. Is that straightforward?
#
package require Tk
set safeinterp [interp create -safe "playground"]
#interp eval playground {package require Tk}
# $safeinterp invokehidden package require Tk
::safe::loadTk $safeinterp -display :0.0
======
The `package require Tk` command in the main interpreter is required to have the `loadTk` command in the first place.
If anyone knows how to solve this, please let me know.
----
[Jeff Smith] 2022-11-09: I have done some research to try to prevent the issue and found a solution but not using a safe interpreter. I run [Tcl Playground] in a Docker Container (as I do with all demos on the Wiki) and by specifying “--net=none” flag when starting the container it disables the network stack on the container. Within the container, only the loopback device is created.----
'''[arjen] - 2022-11-09 07:33:55'''
Oh! That is even better! That means we do not have to bother with configuring such a safe interpreter.