Arjen Markus (12 november 2003) In response to a recent discussion on the c.l.t. about a problem that arose in the context of regular expressions, I have started this page. Its sole purpose: document dangerous constructs in Tcl
Using the subst command on arbitrary data:
set a "Hello," set b "world!" set string "$a $b" puts [subst $string]
gives:
Hello, world!
but:
set string "\[exit\]" puts [subst $string]
stops you program!
The subst command allows you to suppress the execution of commands:
puts [subst -nocommands $string]
gives:
[exit]
RS: A simple error that will appear only at runtime is not protecting a switch command with --:
switch $input {...}
The error will occur if $input starts with a minus (-) sign. So best always use
switch -- $input {...}
LV There are a number of other tcl commands which also support -- ; if the command supports it, and you are using random input from users or input files, you probably should use it.
TV opening any server socket, expecting a certain other party to connect. For instance a file transfer à la ftp where a control connection triggers a file transfer over a seperate socket pair.
Please: the next!
See also the Frequently Made Mistakes FMM page.
[Mention un-braced expr use.] What's dangerous about unbraced expr?
Short answer:
# Uh-oh; what if it's "exec rm -rf ..." rather than "exec touch ..."? set a {[exec touch /tmp/77]} set b {[exec touch /tmp/78]} catch {expr $a + 4} catch {expr {$b + 4}}