Running Tk from a safe interpreter

Difference between version 1 and 2 - Previous - Next
[Arjen Markus] (8 november 2022) During today's monthly meeting, we discussed the possibility to have a Tcl playground on the Wiki with the effect of allowing users to enter Tcl commands and whole programs but also to run Tk programs. There was one concern in particular: the security of such a feature. A malevolent user could use it to connect to some server and have the poor Wiki molest that server (to put it in dramatic terms). Solution: use a safe interpreter. But does that allow a benevolent user to run Tk?

I did some experimenting and failed so far. The Wiki does suggest using the `::safe::loadTk` command, but that does not work:

$ tclsh chktk.tcl
can't read "state(access_path,remap)": no such element in array
    while executing
"dict exists $state(access_path,remap) $path"
    (procedure "::safe::interpAddToAccessPath" line 7)
    invoked from within
"::safe::interpAddToAccessPath $child $tk_library"
    (procedure "tkInterpInit" line 11)
    invoked from within
"tkInterpInit $child [list "-use" $use "-display" $display]"
    (procedure "::safe::loadTk" line 59)
    invoked from within
"::safe::loadTk $safeinterp -display :0.0"
    (file "chktk.tcl" line 13)

I tried it on plain Windows and on Cygwin with and without the -display option, but got the same result.

The contents of the small script:
# chktk.tcl --
#     I want to run Tk in a safe interpreter. Is that straightforward?

package require Tk

set safeinterp [interp create -safe "playground"]

#interp eval playground {package require Tk}

# $safeinterp invokehidden package require Tk

::safe::loadTk $safeinterp -display :0.0

The `package require Tk` command in the main interpreter is required to have the `loadTk` command in the first place.

If anyone knows how to solve this, please let me know.

----[Jeff Smith] 2022-11-09 : I have done some research to try to prevent the issue and found a solution but not using a safe interpreter. I run [Tcl Playground] in a Docker Container (as I do with all demos on the Wiki) and by specifying “--net=none” flag when starting the container it disables the network stack on the container. Within the container, only the loopback device is created.