safetk.tcl 7.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262
  1. # safetk.tcl --
  2. #
  3. # Support procs to use Tk in safe interpreters.
  4. #
  5. # Copyright (c) 1997 Sun Microsystems, Inc.
  6. #
  7. # See the file "license.terms" for information on usage and redistribution
  8. # of this file, and for a DISCLAIMER OF ALL WARRANTIES.
  9. # see safetk.n for documentation
  10. #
  11. #
  12. # Note: It is now ok to let untrusted code being executed
  13. # between the creation of the interp and the actual loading
  14. # of Tk in that interp because the C side Tk_Init will
  15. # now look up the master interp and ask its safe::TkInit
  16. # for the actual parameters to use for it's initialization (if allowed),
  17. # not relying on the slave state.
  18. #
  19. # We use opt (optional arguments parsing)
  20. package require opt 0.4.1;
  21. namespace eval ::safe {
  22. # counter for safe toplevels
  23. variable tkSafeId 0
  24. }
  25. #
  26. # tkInterpInit : prepare the slave interpreter for tk loading
  27. # most of the real job is done by loadTk
  28. # returns the slave name (tkInterpInit does)
  29. #
  30. proc ::safe::tkInterpInit {slave argv} {
  31. global env tk_library
  32. # We have to make sure that the tk_library variable is normalized.
  33. set tk_library [file normalize $tk_library]
  34. # Clear Tk's access for that interp (path).
  35. allowTk $slave $argv
  36. # Ensure tk_library and subdirs (eg, ttk) are on the access path
  37. ::interp eval $slave [list set tk_library [::safe::interpAddToAccessPath $slave $tk_library]]
  38. foreach subdir [::safe::AddSubDirs [list $tk_library]] {
  39. ::safe::interpAddToAccessPath $slave $subdir
  40. }
  41. return $slave
  42. }
  43. # tkInterpLoadTk:
  44. # Do additional configuration as needed (calling tkInterpInit)
  45. # and actually load Tk into the slave.
  46. #
  47. # Either contained in the specified windowId (-use) or
  48. # creating a decorated toplevel for it.
  49. # empty definition for auto_mkIndex
  50. proc ::safe::loadTk {} {}
  51. ::tcl::OptProc ::safe::loadTk {
  52. {slave -interp "name of the slave interpreter"}
  53. {-use -windowId {} "window Id to use (new toplevel otherwise)"}
  54. {-display -displayName {} "display name to use (current one otherwise)"}
  55. } {
  56. set displayGiven [::tcl::OptProcArgGiven "-display"]
  57. if {!$displayGiven} {
  58. # Try to get the current display from "."
  59. # (which might not exist if the master is tk-less)
  60. if {[catch {set display [winfo screen .]}]} {
  61. if {[info exists ::env(DISPLAY)]} {
  62. set display $::env(DISPLAY)
  63. } else {
  64. Log $slave "no winfo screen . nor env(DISPLAY)" WARNING
  65. set display ":0.0"
  66. }
  67. }
  68. }
  69. # Get state for access to the cleanupHook.
  70. namespace upvar ::safe S$slave state
  71. if {![::tcl::OptProcArgGiven "-use"]} {
  72. # create a decorated toplevel
  73. lassign [tkTopLevel $slave $display] w use
  74. # set our delete hook (slave arg is added by interpDelete)
  75. # to clean up both window related code and tkInit(slave)
  76. set state(cleanupHook) [list tkDelete {} $w]
  77. } else {
  78. # set our delete hook (slave arg is added by interpDelete)
  79. # to clean up tkInit(slave)
  80. set state(cleanupHook) [list disallowTk]
  81. # Let's be nice and also accept tk window names instead of ids
  82. if {[string match ".*" $use]} {
  83. set windowName $use
  84. set use [winfo id $windowName]
  85. set nDisplay [winfo screen $windowName]
  86. } else {
  87. # Check for a better -display value
  88. # (works only for multi screens on single host, but not
  89. # cross hosts, for that a tk window name would be better
  90. # but embeding is also usefull for non tk names)
  91. if {![catch {winfo pathname $use} name]} {
  92. set nDisplay [winfo screen $name]
  93. } else {
  94. # Can't have a better one
  95. set nDisplay $display
  96. }
  97. }
  98. if {$nDisplay ne $display} {
  99. if {$displayGiven} {
  100. return -code error -errorcode {TK DISPLAY SAFE} \
  101. "conflicting -display $display and -use $use -> $nDisplay"
  102. } else {
  103. set display $nDisplay
  104. }
  105. }
  106. }
  107. # Prepares the slave for tk with those parameters
  108. tkInterpInit $slave [list "-use" $use "-display" $display]
  109. load {} Tk $slave
  110. return $slave
  111. }
  112. proc ::safe::TkInit {interpPath} {
  113. variable tkInit
  114. if {[info exists tkInit($interpPath)]} {
  115. set value $tkInit($interpPath)
  116. Log $interpPath "TkInit called, returning \"$value\"" NOTICE
  117. return $value
  118. } else {
  119. Log $interpPath "TkInit called for interp with clearance:\
  120. preventing Tk init" ERROR
  121. return -code error -errorcode {TK SAFE PERMISSION} "not allowed"
  122. }
  123. }
  124. # safe::allowTk --
  125. #
  126. # Set tkInit(interpPath) to allow Tk to be initialized in
  127. # safe::TkInit.
  128. #
  129. # Arguments:
  130. # interpPath slave interpreter handle
  131. # argv arguments passed to safe::TkInterpInit
  132. #
  133. # Results:
  134. # none.
  135. proc ::safe::allowTk {interpPath argv} {
  136. variable tkInit
  137. set tkInit($interpPath) $argv
  138. return
  139. }
  140. # safe::disallowTk --
  141. #
  142. # Unset tkInit(interpPath) to disallow Tk from getting initialized
  143. # in safe::TkInit.
  144. #
  145. # Arguments:
  146. # interpPath slave interpreter handle
  147. #
  148. # Results:
  149. # none.
  150. proc ::safe::disallowTk {interpPath} {
  151. variable tkInit
  152. # This can already be deleted by the DeleteHook of the interp
  153. if {[info exists tkInit($interpPath)]} {
  154. unset tkInit($interpPath)
  155. }
  156. return
  157. }
  158. # safe::tkDelete --
  159. #
  160. # Clean up the window associated with the interp being deleted.
  161. #
  162. # Arguments:
  163. # interpPath slave interpreter handle
  164. #
  165. # Results:
  166. # none.
  167. proc ::safe::tkDelete {W window slave} {
  168. # we are going to be called for each widget... skip untill it's
  169. # top level
  170. Log $slave "Called tkDelete $W $window" NOTICE
  171. if {[::interp exists $slave]} {
  172. if {[catch {::safe::interpDelete $slave} msg]} {
  173. Log $slave "Deletion error : $msg"
  174. }
  175. }
  176. if {[winfo exists $window]} {
  177. Log $slave "Destroy toplevel $window" NOTICE
  178. destroy $window
  179. }
  180. # clean up tkInit(slave)
  181. disallowTk $slave
  182. return
  183. }
  184. proc ::safe::tkTopLevel {slave display} {
  185. variable tkSafeId
  186. incr tkSafeId
  187. set w ".safe$tkSafeId"
  188. if {[catch {toplevel $w -screen $display -class SafeTk} msg]} {
  189. return -code error -errorcode {TK TOPLEVEL SAFE} \
  190. "Unable to create toplevel for safe slave \"$slave\" ($msg)"
  191. }
  192. Log $slave "New toplevel $w" NOTICE
  193. set msg "Untrusted Tcl applet ($slave)"
  194. wm title $w $msg
  195. # Control frame (we must create a style for it)
  196. ttk::style layout TWarningFrame {WarningFrame.border -sticky nswe}
  197. ttk::style configure TWarningFrame -background red
  198. set wc $w.fc
  199. ttk::frame $wc -relief ridge -borderwidth 4 -style TWarningFrame
  200. # We will destroy the interp when the window is destroyed
  201. bindtags $wc [concat Safe$wc [bindtags $wc]]
  202. bind Safe$wc <Destroy> [list ::safe::tkDelete %W $w $slave]
  203. ttk::label $wc.l -text $msg -anchor w
  204. # We want the button to be the last visible item
  205. # (so be packed first) and at the right and not resizing horizontally
  206. # frame the button so it does not expand horizontally
  207. # but still have the default background instead of red one from the parent
  208. ttk::frame $wc.fb -borderwidth 0
  209. ttk::button $wc.fb.b -text "Delete" \
  210. -command [list ::safe::tkDelete $w $w $slave]
  211. pack $wc.fb.b -side right -fill both
  212. pack $wc.fb -side right -fill both -expand 1
  213. pack $wc.l -side left -fill both -expand 1 -ipady 2
  214. pack $wc -side bottom -fill x
  215. # Container frame
  216. frame $w.c -container 1
  217. pack $w.c -fill both -expand 1
  218. # return both the toplevel window name and the id to use for embedding
  219. list $w [winfo id $w.c]
  220. }