Tcl/Tk Security issues

Safe-Tcl information at tcl.tk is now out-of-date:

"The primary mechanism provided by Safe-Tcl to grant privileges is command aliases. An alias is a command in the untrusted interpreter that is really implemented by a different, fully trusted interpreter. This is much like the user-mode and kernel-modes in multiuser operating systems. In Safe-Tcl, an untrusted script is isolated in its interpreter context, and given a few extra commands that are carefully implemented by another Tcl intpreter to ensure safety."

Browser plugin information from tcl.tk follows:

The browser plugin removes:

bell - ring terminal bell
cd - change directory
clipboard - access CLIPBOARD selection
exec - run programs
exit - terminate the process
glob - match file names in a directory
grab - grab the cursor
menu - display a menu
load - dynamically load shared libraries that implement new Tcl commands in C.
open - open a file. Actually a restricted version of this command is available that lets you open files in the Tcl script library for reading only.
pwd - query current directory
send - send Tcl commands to other Tk applications
socket - open a network socket
source - load script files.
tk - set/query Tk application name
tkwait - block on events. You can use vwait to wait for variables to change.
toplevel - create toplevel windows.
wm - window manager control
Tk images cannot be created from files. Instead, the image create photo command now takes a base64 encoded gif as a string instead of reading from a file.

Google Books version of 2003 Welch book:

Chapter 19 of this book may be one of the best resources but the plugin was revised that year by Jeff Hobbs of ActiveState.

ActiveState mail lists on Tcl/Tk.

Tcl client-side HTTP information.

SUN Safe-Tcl entry,the ACM Portal entry and the CiteSeer entry.

Information on Extended Tcl and XOTcl

Extended Tcl at sourceforge.net

XOTcl home and on-line reference.

iTcl page for [incr Tcl], i.e., "Tcl++"

Tk across Python, Ruby and Perl: documention has no entry for security at this time (20090909)

Perl and Tk

links with Tk at CPAN

directories with Tk at CPAN

perl-Tk at CPAN

Book (2003)

Book (Google Books: O'Reilly)

Python tkinter

mail list

tkinter at python.org

wiki for tkinter

Ruby Tk

Tk links at Ruby raa archive

Tk at rubyforge (arcadia IDE)

Oz Qtk declarative Tk interface

PDF (2002)

manual (HTML)

Tcl items at insecure.org

Security update items:

Novell Tk Suse update

Madriva perl-Tk update

Tk developers web site

Tk 8.5 manual (ActiveState)

Tk at ActiveState

Tcl Expect at nist

XOTcl IDE

John Ousterhout page at tcl.tk