Jeff,
Considering there is a safe interp in Tcl, there should be extensive unit testing that can be run in regression to make sure any new functionality like this does not break the security model. Does Tcl have regression tests (tcltest or other) that exercise the ability of safe interp to stop dangerous code? If there is, then these tests could be run in at least Object eval to whether this simple approach would work. If not, there should be. Or is the security model based on proving the safety of an interp by analysis of the code? If you take this second approach them much more work must be done before xotcl includes this code for the safe interp.
Ben
ps ( In open source projects, is it the person who comes up with the idea who is the person to implement it? Dang. )
On Apr 4, 2005 1:13 PM, Jeff Hobbs jeffh@activestate.com wrote:
Gustaf Neumann wrote:
Since xotcl uses ordinary tcl interps, i would assume, it inherits the safetiness of save tcl interps. Since xotcl does not do any socket handling, file-i/o, exec's, etc., i would think, this is a good start. If you see commands that we should deactivate in safe interps, please let me know.
You have to be careful with anything you add at the C level for safe interps. Whatever you create in Tcl in safe interps is by definition safe (if you aren't aliasing into the master), because of the model. However, in C you can expose anything. While you might not directly expose exec, IO, etc., you have to consider how you might indirectly expose that functionality and how a user might exploit that. I'm not saying that xotcl does, but you should just consider the implications of each C-based command individually. You also have the Tcl_IsSafeInterp C API for variant behavior in safe interps.
Jeff Hobbs, The Tcl Guy http://www.ActiveState.com/, a division of Sophos