Running Tk from a safe interpreter

Arjen Markus (8 november 2022) During today's monthly meeting, we discussed the possibility to have a Tcl playground on the Wiki with the effect of allowing users to enter Tcl commands and whole programs but also to run Tk programs. There was one concern in particular: the security of such a feature. A malevolent user could use it to connect to some server and have the poor Wiki molest that server (to put it in dramatic terms). Solution: use a safe interpreter. But does that allow a benevolent user to run Tk?

I did some experimenting and failed so far. The Wiki does suggest using the ::safe::loadTk command, but that does not work:

$ tclsh chktk.tcl
can't read "state(access_path,remap)": no such element in array
    while executing
"dict exists $state(access_path,remap) $path"
    (procedure "::safe::interpAddToAccessPath" line 7)
    invoked from within
"::safe::interpAddToAccessPath $child $tk_library"
    (procedure "tkInterpInit" line 11)
    invoked from within
"tkInterpInit $child [list "-use" $use "-display" $display]"
    (procedure "::safe::loadTk" line 59)
    invoked from within
"::safe::loadTk $safeinterp -display :0.0"
    (file "chktk.tcl" line 13)

I tried it on plain Windows and on Cygwin with and without the -display option, but got the same result.

The contents of the small script:

# chktk.tcl --
#     I want to run Tk in a safe interpreter. Is that straightforward?
#

package require Tk

set safeinterp [interp create -safe "playground"]

#interp eval playground {package require Tk}

# $safeinterp invokehidden package require Tk

::safe::loadTk $safeinterp -display :0.0

The package require Tk command in the main interpreter is required to have the loadTk command in the first place.

If anyone knows how to solve this, please let me know.


Jeff Smith 2022-11-09: I have done some research to try to prevent the issue and found a solution but not using a safe interpreter. I run Tcl Playground in a Docker Container (as I do with all demos on the Wiki) and by specifying “--net=none” flag when starting the container it disables the network stack on the container. Within the container, only the loopback device is created.


arjen - 2022-11-09 07:33:55

Oh! That is even better! That means we do not have to bother with configuring such a safe interpreter.