From: Donal K. F. <fel...@cs...> - 2003-08-29 22:44:08
|
Kevin Kenny: > Jeff, if you can come up with a comprehensible way to document > the existing behaviour (credit Joe with the example): > > # Try this at a tclsh prompt: > set x [list #foo] ; proc #foo {} { puts Hi! } > eval $x ;# ==> prints "Hi!" > puts $x > eval $x ;# ==> does nothing. > > then I'll support your position. Here's another nasty case (don't run it at home!): set cmd "\u0023auto" set untrustedCode "\n file delete -force ~ \n" interp create -safe -- $cmd set command [list $cmd eval $untrustedCode] puts $logfile "About to execute $command" eval $command With this, nothing bad will happen for any value of $cmd, even given fairly malicious $untrustedCode contents, unless it starts with a '#' character, which makes the command run in a different context altogether and (incidentally in this case) kills your home directory. What does this demonstrate? IMHO it shows that analyizing one's code to tell if it is free of security problems is actually far harder than it ought to be! If list generation follows the TIP#148 modification, then the above code is reliably safe. Donal (Bizarre Cases 'R' Us!) |