Menu

#3654 trusted info leaks into safe interp via TIP 280

obsolete: 8.5a6
open
Andreas Kupries
20. [interp] (71)
7
2007-06-10
2007-02-26
Don Porter
No

Save demo script in a file
and [source] in a trusted
interp:

interp create -safe slave
puts [slave eval {
return -level 0 "I know about [dict get [info frame 0] file]"
}]

This demonstrates filesystem
information leaking in the
safe interp.

Since [glob] is denied to a
safe interp, it seems that such
information is meant to be denied.

Discussion

  • Jeffrey Hobbs

    Jeffrey Hobbs - 2007-06-10

    Logged In: YES
    user_id=72656
    Originator: NO

    We can filter information with Tcl_IsSafe checks, but what exactly is "secure" info is a gray area.

     

  • Jeffrey Hobbs

    Jeffrey Hobbs - 2007-06-10
    • priority: 5 --> 7
    • assigned_to: hobbs --> andreas_kupries