Re: [TCLCORE] CFV: TIPs 147, 148, 151

[Donal K. F. <fel...@cs...>]

Kevin Kenny:
> Jeff, if you can come up with a comprehensible way to document
> the existing behaviour (credit Joe with the example):
> 
>     # Try this at a tclsh prompt:
>     set x [list #foo] ; proc #foo {} { puts Hi! }
>     eval $x		;# ==> prints "Hi!"
>     puts $x
>     eval $x		;# ==> does nothing.
> 
> then I'll support your position.

Here's another nasty case (don't run it at home!):

  set cmd "\u0023auto"
  set untrustedCode "\n file delete -force ~ \n"
  interp create -safe -- $cmd
  set command [list $cmd eval $untrustedCode]
  puts $logfile "About to execute $command"
  eval $command

With this, nothing bad will happen for any value of $cmd, even given
fairly malicious $untrustedCode contents, unless it starts with a '#'
character, which makes the command run in a different context
altogether and (incidentally in this case) kills your home directory.
What does this demonstrate?  IMHO it shows that analyizing one's code
to tell if it is free of security problems is actually far harder than
it ought to be!  If list generation follows the TIP#148 modification,
then the above code is reliably safe.

Donal (Bizarre Cases 'R' Us!)