Version 8 of Dangerous constructs

Updated 2003-11-13 15:53:55

Arjen Markus (12 november 2003) In response to a recent discussion on the c.l.t. about a problem that arose in the context of regular expressions, I have started this page. Its sole purpose: document dangerous constructs in Tcl


Using the subst command on arbitrary data:

   set a "Hello,"
   set b "world!"
   set string "$a $b"
   puts [subst $string]

gives:

 Hello, world!

but:

   set string "\[exit\]"
   puts [subst $string]

stops you program!

The subst command allows you to suppress the execution of commands:

   puts [subst -nocommands $string]

gives:

  [exit]

RS: A simple error that will appear only at runtime is not protecting a switch command with --:

 switch $input {...}

The error will occur if $input starts with a minus (-) sign. So best always use

 switch -- $input {...}

LV There are a number of other tcl commands which also support -- ; if the command supports it, and you are using random input from users or input files, you probably should use it.


TV opening any server socket, expecting a certain other party to connect. For instance a file transfer à la ftp where a control connection triggers a file transfer over a seperate socket pair.


Please: the next!


See also the Frequently Made Mistakes FMM page.


[Mention un-braced expr use.] What's dangerous about unbraced expr?

Short answer:

      # Uh-oh; what if it's "exec rm -rf ..." rather than "exec touch ..."?
    set a {[exec touch /tmp/77]}
    set b {[exec touch /tmp/78]}
    catch {expr $a + 4}
    catch {expr {$b + 4}}

[ Arts and crafts of Tcl-Tk programming ]