Spaces:
Sleeping
Sleeping
| # safetk.tcl -- | |
| # | |
| # Support procs to use Tk in safe interpreters. | |
| # | |
| # Copyright (c) 1997 Sun Microsystems, Inc. | |
| # | |
| # See the file "license.terms" for information on usage and redistribution | |
| # of this file, and for a DISCLAIMER OF ALL WARRANTIES. | |
| # see safetk.n for documentation | |
| # | |
| # | |
| # Note: It is now ok to let untrusted code being executed | |
| # between the creation of the interp and the actual loading | |
| # of Tk in that interp because the C side Tk_Init will | |
| # now look up the master interp and ask its safe::TkInit | |
| # for the actual parameters to use for it's initialization (if allowed), | |
| # not relying on the slave state. | |
| # | |
| # We use opt (optional arguments parsing) | |
| package require opt 0.4.1; | |
| namespace eval ::safe { | |
| # counter for safe toplevels | |
| variable tkSafeId 0 | |
| } | |
| # | |
| # tkInterpInit : prepare the slave interpreter for tk loading | |
| # most of the real job is done by loadTk | |
| # returns the slave name (tkInterpInit does) | |
| # | |
| proc ::safe::tkInterpInit {slave argv} { | |
| global env tk_library | |
| # We have to make sure that the tk_library variable is normalized. | |
| set tk_library [file normalize $tk_library] | |
| # Clear Tk's access for that interp (path). | |
| allowTk $slave $argv | |
| # Ensure tk_library and subdirs (eg, ttk) are on the access path | |
| ::interp eval $slave [list set tk_library [::safe::interpAddToAccessPath $slave $tk_library]] | |
| foreach subdir [::safe::AddSubDirs [list $tk_library]] { | |
| ::safe::interpAddToAccessPath $slave $subdir | |
| } | |
| return $slave | |
| } | |
| # tkInterpLoadTk: | |
| # Do additional configuration as needed (calling tkInterpInit) | |
| # and actually load Tk into the slave. | |
| # | |
| # Either contained in the specified windowId (-use) or | |
| # creating a decorated toplevel for it. | |
| # empty definition for auto_mkIndex | |
| proc ::safe::loadTk {} {} | |
| ::tcl::OptProc ::safe::loadTk { | |
| {slave -interp "name of the slave interpreter"} | |
| {-use -windowId {} "window Id to use (new toplevel otherwise)"} | |
| {-display -displayName {} "display name to use (current one otherwise)"} | |
| } { | |
| set displayGiven [::tcl::OptProcArgGiven "-display"] | |
| if {!$displayGiven} { | |
| # Try to get the current display from "." | |
| # (which might not exist if the master is tk-less) | |
| if {[catch {set display [winfo screen .]}]} { | |
| if {[info exists ::env(DISPLAY)]} { | |
| set display $::env(DISPLAY) | |
| } else { | |
| Log $slave "no winfo screen . nor env(DISPLAY)" WARNING | |
| set display ":0.0" | |
| } | |
| } | |
| } | |
| # Get state for access to the cleanupHook. | |
| namespace upvar ::safe S$slave state | |
| if {![::tcl::OptProcArgGiven "-use"]} { | |
| # create a decorated toplevel | |
| lassign [tkTopLevel $slave $display] w use | |
| # set our delete hook (slave arg is added by interpDelete) | |
| # to clean up both window related code and tkInit(slave) | |
| set state(cleanupHook) [list tkDelete {} $w] | |
| } else { | |
| # set our delete hook (slave arg is added by interpDelete) | |
| # to clean up tkInit(slave) | |
| set state(cleanupHook) [list disallowTk] | |
| # Let's be nice and also accept tk window names instead of ids | |
| if {[string match ".*" $use]} { | |
| set windowName $use | |
| set use [winfo id $windowName] | |
| set nDisplay [winfo screen $windowName] | |
| } else { | |
| # Check for a better -display value | |
| # (works only for multi screens on single host, but not | |
| # cross hosts, for that a tk window name would be better | |
| # but embeding is also usefull for non tk names) | |
| if {![catch {winfo pathname $use} name]} { | |
| set nDisplay [winfo screen $name] | |
| } else { | |
| # Can't have a better one | |
| set nDisplay $display | |
| } | |
| } | |
| if {$nDisplay ne $display} { | |
| if {$displayGiven} { | |
| return -code error -errorcode {TK DISPLAY SAFE} \ | |
| "conflicting -display $display and -use $use -> $nDisplay" | |
| } else { | |
| set display $nDisplay | |
| } | |
| } | |
| } | |
| # Prepares the slave for tk with those parameters | |
| tkInterpInit $slave [list "-use" $use "-display" $display] | |
| load {} Tk $slave | |
| return $slave | |
| } | |
| proc ::safe::TkInit {interpPath} { | |
| variable tkInit | |
| if {[info exists tkInit($interpPath)]} { | |
| set value $tkInit($interpPath) | |
| Log $interpPath "TkInit called, returning \"$value\"" NOTICE | |
| return $value | |
| } else { | |
| Log $interpPath "TkInit called for interp with clearance:\ | |
| preventing Tk init" ERROR | |
| return -code error -errorcode {TK SAFE PERMISSION} "not allowed" | |
| } | |
| } | |
| # safe::allowTk -- | |
| # | |
| # Set tkInit(interpPath) to allow Tk to be initialized in | |
| # safe::TkInit. | |
| # | |
| # Arguments: | |
| # interpPath slave interpreter handle | |
| # argv arguments passed to safe::TkInterpInit | |
| # | |
| # Results: | |
| # none. | |
| proc ::safe::allowTk {interpPath argv} { | |
| variable tkInit | |
| set tkInit($interpPath) $argv | |
| return | |
| } | |
| # safe::disallowTk -- | |
| # | |
| # Unset tkInit(interpPath) to disallow Tk from getting initialized | |
| # in safe::TkInit. | |
| # | |
| # Arguments: | |
| # interpPath slave interpreter handle | |
| # | |
| # Results: | |
| # none. | |
| proc ::safe::disallowTk {interpPath} { | |
| variable tkInit | |
| # This can already be deleted by the DeleteHook of the interp | |
| if {[info exists tkInit($interpPath)]} { | |
| unset tkInit($interpPath) | |
| } | |
| return | |
| } | |
| # safe::tkDelete -- | |
| # | |
| # Clean up the window associated with the interp being deleted. | |
| # | |
| # Arguments: | |
| # interpPath slave interpreter handle | |
| # | |
| # Results: | |
| # none. | |
| proc ::safe::tkDelete {W window slave} { | |
| # we are going to be called for each widget... skip untill it's | |
| # top level | |
| Log $slave "Called tkDelete $W $window" NOTICE | |
| if {[::interp exists $slave]} { | |
| if {[catch {::safe::interpDelete $slave} msg]} { | |
| Log $slave "Deletion error : $msg" | |
| } | |
| } | |
| if {[winfo exists $window]} { | |
| Log $slave "Destroy toplevel $window" NOTICE | |
| destroy $window | |
| } | |
| # clean up tkInit(slave) | |
| disallowTk $slave | |
| return | |
| } | |
| proc ::safe::tkTopLevel {slave display} { | |
| variable tkSafeId | |
| incr tkSafeId | |
| set w ".safe$tkSafeId" | |
| if {[catch {toplevel $w -screen $display -class SafeTk} msg]} { | |
| return -code error -errorcode {TK TOPLEVEL SAFE} \ | |
| "Unable to create toplevel for safe slave \"$slave\" ($msg)" | |
| } | |
| Log $slave "New toplevel $w" NOTICE | |
| set msg "Untrusted Tcl applet ($slave)" | |
| wm title $w $msg | |
| # Control frame (we must create a style for it) | |
| ttk::style layout TWarningFrame {WarningFrame.border -sticky nswe} | |
| ttk::style configure TWarningFrame -background red | |
| set wc $w.fc | |
| ttk::frame $wc -relief ridge -borderwidth 4 -style TWarningFrame | |
| # We will destroy the interp when the window is destroyed | |
| bindtags $wc [concat Safe$wc [bindtags $wc]] | |
| bind Safe$wc <Destroy> [list ::safe::tkDelete %W $w $slave] | |
| ttk::label $wc.l -text $msg -anchor w | |
| # We want the button to be the last visible item | |
| # (so be packed first) and at the right and not resizing horizontally | |
| # frame the button so it does not expand horizontally | |
| # but still have the default background instead of red one from the parent | |
| ttk::frame $wc.fb -borderwidth 0 | |
| ttk::button $wc.fb.b -text "Delete" \ | |
| -command [list ::safe::tkDelete $w $w $slave] | |
| pack $wc.fb.b -side right -fill both | |
| pack $wc.fb -side right -fill both -expand 1 | |
| pack $wc.l -side left -fill both -expand 1 -ipady 2 | |
| pack $wc -side bottom -fill x | |
| # Container frame | |
| frame $w.c -container 1 | |
| pack $w.c -fill both -expand 1 | |
| # return both the toplevel window name and the id to use for embedding | |
| list $w [winfo id $w.c] | |
| } | |