| Ticket UUID: | 2906841 | |||
| Title: | calling [glob ../*] in an safe interp returns weird things | |||
| Type: | Bug | Version: | obsolete: 8.6b1.1 | |
| Submitter: | john13a | Created on: | 2009-12-01 14:21:40 | |
| Subsystem: | 33. Safe Base | Assigned To: | dkf | |
| Priority: | 9 Immediate | Severity: | ||
| Status: | Closed | Last Modified: | 2009-12-17 06:45:39 | |
| Resolution: | Fixed | Closed By: | dkf | |
| Closed on: | 2009-12-16 23:45:39 | |||
| Description: |
8.5.7 - Windows
% safe::interpCreate test
test
% test eval glob ../*
{../All Users} ../Johannes
8.6b1.1 - Windows
% safe::interpCreate test
test
% test eval glob ../*
can't read "msg": no such variable
% set errorInfo
can't read "msg": no such variable
while executing
"Log $slave "GLOB @ $msg" NOTICE"
(procedure "::safe::AliasGlob" line 65)
invoked from within
"glob ../*"
invoked from within
"test eval glob ../*"
Some results from others
<dkf> $ tclsh8.5
<dkf> % safe::interpCreate test
<dkf> test
<dkf> % test eval glob ../*
<dkf> invalid command name "glob"
<emiliano> emiliano@merlot:~$ tclsh8.6
<emiliano> % safe::interpCreate test
<emiliano> test
<emiliano> % test eval glob ../*
<emiliano> ../ftp ../emiliano
<emiliano> HEAD (two or three days ago), linux
| |||
| User Comments: |
dkf added on 2009-12-17 06:45:39:
allow_comments - 1 Rewrote to allow more options (-types is fine) and to be more careful with anything with path implications (-join is tricky!) dkf added on 2009-12-04 23:37:54: Correction, we pass -nocomplain through, but if we've got it, we fail noisily in some cases where we shouldn't (i.e., with paths that are non-readable by policy). dkf added on 2009-12-04 16:27:39: Notable issues: 1. we check the second -directory option 2. we don't handle -nocomplain 3. we get confused by glob metachars in the path part of a pattern dkf added on 2009-12-04 16:26:00: More work required. Currently we handle many things wrongly anyway dkf added on 2009-12-03 22:51:40: Fixed for 8.6 HEAD I think, but needs review and backport (can't just use patch; 8.6 version uses [try]). dkf added on 2009-12-03 21:09:21: OK, with digging around I find that this security bug was introduced with the fix for [Bug 1999119] (enabling Tcl Module support) which corresponds to the 1.16->1.17 or 1.16->1.16.4.1 change. The issue is that AliasGlob does not check for directory components in the pattern arguments to [glob], let alone work out whether those components refer to to locations that are "bad". :-( dkf added on 2009-12-02 22:52:39: Correction, that's with 1.16.4.2 dkf added on 2009-12-02 22:48:17:
allow_comments - 0
With safe.tcl 1.33 in the tip of the 8.5 branch, I get globbing where I wouldn't expect it:
bash$ make -C unix shell
DYLD_LIBRARY_PATH="`pwd`:${DYLD_LIBRARY_PATH}"; export DYLD_LIBRARY_PATH; \
TCL_LIBRARY="/Users/dkf/Documents/software/tcl8.5/library"; export TCL_LIBRARY; \
./tclsh
% safe::interpCreate test
test
% test eval glob ../*
../ChangeLog ../ChangeLog.1999 ../ChangeLog.2000 ../ChangeLog.2001 ../ChangeLog.2002 ../ChangeLog.2003 ../ChangeLog.2004 ../ChangeLog.2005 ../ChangeLog.~1.3975.2.269.~ ../changes ../compat ../CVS ../doc ../generic ../library ../libtommath ../license.terms ../macosx ../README ../tests ../tools ../unix ../win
andreas_kupries added on 2009-12-02 00:52:21: allow_comments - 1 andreas_kupries added on 2009-12-02 00:52:20: Definitely the old buggy code I fixed on 2009-10-05 (The first fixed revision was rev 1.19). http://tcl.cvs.sourceforge.net/viewvc/tcl/tcl/library/safe.tcl?r1=1.18&r2=1.19 You need a newer Tcl to get the fix. john13a added on 2009-12-02 00:31:05: See uploaded files. :) 8.5.7: # RCS: @(#) $Id: safe.tcl,v 1.16.4.1 2008/06/25 16:42:05 andreas_kupries Exp $ 8.6b1.1 # RCS: @(#) $Id: safe.tcl,v 1.18 2009/07/26 11:40:24 dkf Exp $ john13a added on 2009-12-02 00:27:23: File Added - 353442: safe.tcl andreas_kupries added on 2009-12-02 00:15:24: Hm. What is your revision of safe.tcl ?
(Installed under [info library], see the RCS comment line at the top).
Mine is CVS head as of the time of this comment, revision 1.33, and I do not see the problem/error.
The relevant code in my file safe.tcl is
try {
::interp invokehidden $slave glob {*}$cmd
* } on ok msg {
*# Nothing to be done, just capture the 'msg' for later.
} on error msg {
Log $slave $msg
return -code error "script error"
}
Log $slave "GLOB @ $msg" NOTICE
and the lines I marked with * are presumably missing in your revision ... Checking the ChangeLog I also find
2009-10-05 Andreas Kupries <[email protected]>
* library/safe.tcl (AliasGlob): Fixed conversion of catch to
try/finally, it had an 'on ok msg' branch missing, causing a
silent error immediately, and bogus glob results, breaking
search for Tcl modules.
which looks to me is the problem you are running into. MY guess is that your Tcl is older than that entry.
andreas_kupries added on 2009-12-02 00:00:21: I believe that I introduced this problem when I reworked the safebase to be more uptodate in its use of Tcl's features. Reassigning to myself. john13a added on 2009-12-01 21:21:40: File Added - 353416: safe.tcl | |||
Attachments:
- safe.tcl [download] added by john13a on 2009-12-02 00:27:23. [details]