[Arjen Markus] (8 november 2022) During today's monthly meeting, we discussed the possibility to have a Tcl playground on the Wiki with the effect of allowing users to enter Tcl commands and whole programs but also to run Tk programs. There was one concern in particular: the security of such a feature. A malevolent user could use it to connect to some server and have the poor Wiki molest that server (to put it in dramatic terms). Solution: use a safe interpreter. But does that allow a benevolent user to run Tk? I did some experimenting and failed so far. The Wiki does suggest using the `::safe::loadTk` command, but that does not work: ====== $ tclsh chktk.tcl can't read "state(access_path,remap)": no such element in array while executing "dict exists $state(access_path,remap) $path" (procedure "::safe::interpAddToAccessPath" line 7) invoked from within "::safe::interpAddToAccessPath $child $tk_library" (procedure "tkInterpInit" line 11) invoked from within "tkInterpInit $child [list "-use" $use "-display" $display]" (procedure "::safe::loadTk" line 59) invoked from within "::safe::loadTk $safeinterp -display :0.0" (file "chktk.tcl" line 13) ====== I tried it on plain Windows and on Cygwin with and without the -display option, but got the same result. The contents of the small script: ======tcl # chktk.tcl -- # I want to run Tk in a safe interpreter. Is that straightforward? # package require Tk set safeinterp [interp create -safe "playground"] #interp eval playground {package require Tk} # $safeinterp invokehidden package require Tk ::safe::loadTk $safeinterp -display :0.0 ====== The `package require Tk` command in the main interpreter is required to have the `loadTk` command in the first place. If anyone knows how to solve this, please let me know. ---- [Jeff Smith] 2022-11-09: I have done some research to try to prevent the issue and found a solution but not using a safe interpreter. I run [Tcl Playground] in a Docker Container (as I do with all demos on the Wiki) and by specifying “--net=none” flag when starting the container it disables the network stack on the container. Within the container, only the loopback device is created.---- '''[arjen] - 2022-11-09 07:33:55''' Oh! That is even better! That means we do not have to bother with configuring such a safe interpreter.