1interp(n) Tcl Built-In Commands interp(n)
2______________________________________________________________________________
6
8 interp - Create and manipulate Tcl interpreters
9
11 interp option ?arg arg ...?
12_________________________________________________________________
13
16 This command makes it possible to create one or more new Tcl inter‐
17 preters that co-exist with the creating interpreter in the same appli‐
18 cation. The creating interpreter is called the master and the new
19 interpreter is called a slave. A master can create any number of
20 slaves, and each slave can itself create additional slaves for which it
21 is master, resulting in a hierarchy of interpreters.
22 Each interpreter is independent from the others: it has its own name
24 space for commands, procedures, and global variables. A master inter‐
25 preter may create connections between its slaves and itself using a
26 mechanism called an alias. An alias is a command in a slave inter‐
27 preter which, when invoked, causes a command to be invoked in its mas‐
28 ter interpreter or in another slave interpreter. The only other con‐
29 nections between interpreters are through environment variables (the
30 env variable), which are normally shared among all interpreters in the
31 application. Note that the name space for files (such as the names
32 returned by the open command) is no longer shared between interpreters.
33 Explicit commands are provided to share files and to transfer refer‐
34 ences to open files from one interpreter to another.
35 The interp command also provides support for safe interpreters. A safe
37 interpreter is a slave whose functions have been greatly restricted, so
38 that it is safe to execute untrusted scripts without fear of them dam‐
39 aging other interpreters or the application's environment. For example,
40 all IO channel creation commands and subprocess creation commands are
41 made inaccessible to safe interpreters. See SAFE INTERPRETERS below │
42 for more information on what features are present in a safe inter‐ │
43 preter. The dangerous functionality is not removed from the safe │
44 interpreter; instead, it is hidden, so that only trusted interpreters │
45 can obtain access to it. For a detailed explanation of hidden commands, │
46 see HIDDEN COMMANDS, below. The alias mechanism can be used for pro‐ │
47 tected communication (analogous to a kernel call) between a slave │
48 interpreter and its master. See ALIAS INVOCATION, below, for more │
49 details on how the alias mechanism works.
50 A qualified interpreter name is a proper Tcl lists containing a subset
52 of its ancestors in the interpreter hierarchy, terminated by the string
53 naming the interpreter in its immediate master. Interpreter names are
54 relative to the interpreter in which they are used. For example, if a
55 is a slave of the current interpreter and it has a slave a1, which in
56 turn has a slave a11, the qualified name of a11 in a is the list a1
57 a11.
58 The interp command, described below, accepts qualified interpreter
60 names as arguments; the interpreter in which the command is being eval‐
61 uated can always be referred to as {} (the empty list or string). Note
62 that it is impossible to refer to a master (ancestor) interpreter by
63 name in a slave interpreter except through aliases. Also, there is no
64 global name by which one can refer to the first interpreter created in
65 an application. Both restrictions are motivated by safety concerns.
66
68 The interp command is used to create, delete, and manipulate slave
69 interpreters, and to share or transfer channels between interpreters.
70 It can have any of several forms, depending on the option argument:
71 interp alias srcPath srcToken
73 Returns a Tcl list whose elements are the targetCmd and args
74 associated with the alias represented by srcToken (this is the
75 value returned when the alias was created; it is possible that
76 the name of the source command in the slave is different from
77 srcToken).
78 interp alias srcPath srcToken {}
80 Deletes the alias for srcToken in the slave interpreter identi‐
81 fied by srcPath. srcToken refers to the value returned when the
82 alias was created; if the source command has been renamed, the
83 renamed command will be deleted.
84 interp alias srcPath srcCmd targetPath targetCmd ?arg arg ...?
86 This command creates an alias between one slave and another (see
87 the alias slave command below for creating aliases between a
88 slave and its master). In this command, either of the slave
89 interpreters may be anywhere in the hierarchy of interpreters
90 under the interpreter invoking the command. SrcPath and srcCmd
91 identify the source of the alias. SrcPath is a Tcl list whose
92 elements select a particular interpreter. For example, ``a b''
93 identifies an interpreter b, which is a slave of interpreter a,
94 which is a slave of the invoking interpreter. An empty list
95 specifies the interpreter invoking the command. srcCmd gives
96 the name of a new command, which will be created in the source
97 interpreter. TargetPath and targetCmd specify a target inter‐
98 preter and command, and the arg arguments, if any, specify addi‐
99 tional arguments to targetCmd which are prepended to any argu‐
100 ments specified in the invocation of srcCmd. TargetCmd may be
101 undefined at the time of this call, or it may already exist; it
102 is not created by this command. The alias arranges for the
103 given target command to be invoked in the target interpreter
104 whenever the given source command is invoked in the source
105 interpreter. See ALIAS INVOCATION below for more details. The
106 command returns a token that uniquely identifies the command
107 created srcCmd, even if the command is renamed afterwards. The
108 token may but does not have to be equal to srcCmd.
109 interp aliases ?path?
111 This command returns a Tcl list of the tokens of all the source
112 commands for aliases defined in the interpreter identified by
113 path. The tokens correspond to the values returned when the
114 aliases were created (which may not be the same as the current
115 names of the commands).
116 interp create ?-safe? ?--? ?path?
118 Creates a slave interpreter identified by path and a new com‐
119 mand, called a slave command. The name of the slave command is
120 the last component of path. The new slave interpreter and the
121 slave command are created in the interpreter identified by the
122 path obtained by removing the last component from path. For
123 example, if path is a b c then a new slave interpreter and slave
124 command named c are created in the interpreter identified by the
125 path a b. The slave command may be used to manipulate the new
126 interpreter as described below. If path is omitted, Tcl creates
127 a unique name of the form interpx, where x is an integer, and
128 uses it for the interpreter and the slave command. If the -safe
129 switch is specified (or if the master interpreter is a safe
130 interpreter), the new slave interpreter will be created as a
131 safe interpreter with limited functionality; otherwise the slave
132 will include the full set of Tcl built-in commands and vari‐
133 ables. The -- switch can be used to mark the end of switches;
134 it may be needed if path is an unusual value such as -safe. The
135 result of the command is the name of the new interpreter. The
136 name of a slave interpreter must be unique among all the slaves
137 for its master; an error occurs if a slave interpreter by the
138 given name already exists in this master. The initial recursion
139 limit of the slave interpreter is set to the current recursion
140 limit of its parent interpreter.
141 interp delete ?path ...?
143 Deletes zero or more interpreters given by the optional path
144 arguments, and for each interpreter, it also deletes its slaves.
145 The command also deletes the slave command for each interpreter
146 deleted. For each path argument, if no interpreter by that name
147 exists, the command raises an error.
148 interp eval path arg ?arg ...?
150 This command concatenates all of the arg arguments in the same
151 fashion as the concat command, then evaluates the resulting
152 string as a Tcl script in the slave interpreter identified by
153 path. The result of this evaluation (including error information
154 such as the errorInfo and errorCode variables, if an error
155 occurs) is returned to the invoking interpreter. Note that the
156 script will be executed in the current context stack frame of
157 the path interpreter; this is so that the implementations (in a
158 master interpreter) of aliases in a slave interpreter can exe‐
159 cute scripts in the slave that find out information about the
160 slave's current state and stack frame.
161 interp exists path
163 Returns 1 if a slave interpreter by the specified path exists
164 in this master, 0 otherwise. If path is omitted, the invoking
165 interpreter is used.
166 interp expose path hiddenName ?exposedCmdName? │
168 Makes the hidden command hiddenName exposed, eventually bringing │
169 it back under a new exposedCmdName name (this name is currently │
170 accepted only if it is a valid global name space name without │
171 any ::), in the interpreter denoted by path. If an exposed com‐ │
172 mand with the targeted name already exists, this command fails. │
173 Hidden commands are explained in more detail in HIDDEN COMMANDS, │
174 below. │
175 interp hide path exposedCmdName ?hiddenCmdName? │
177 Makes the exposed command exposedCmdName hidden, renaming it to │
178 the hidden command hiddenCmdName, or keeping the same name if │
179 hiddenCmdName is not given, in the interpreter denoted by path. │
180 If a hidden command with the targeted name already exists, this │
181 command fails. Currently both exposedCmdName and hiddenCmdName │
182 can not contain namespace qualifiers, or an error is raised. │
183 Commands to be hidden by interp hide are looked up in the global │
184 namespace even if the current namespace is not the global one. │
185 This prevents slaves from fooling a master interpreter into hid‐ │
186 ing the wrong command, by making the current namespace be dif‐ │
187 ferent from the global one. Hidden commands are explained in │
188 more detail in HIDDEN COMMANDS, below. │
189 interp hidden path │
191 Returns a list of the names of all hidden commands in the inter‐ │
192 preter identified by path. │
193 interp invokehidden path ?-global? hiddenCmdName ?arg ...? │
195 Invokes the hidden command hiddenCmdName with the arguments sup‐ │
196 plied in the interpreter denoted by path. No substitutions or │
197 evaluation are applied to the arguments. If the -global flag is │
198 present, the hidden command is invoked at the global level in │
199 the target interpreter; otherwise it is invoked at the current │
200 call frame and can access local variables in that and outer call │
201 frames. Hidden commands are explained in more detail in HIDDEN │
202 COMMANDS, below.
203 interp issafe ?path?
205 Returns 1 if the interpreter identified by the specified path is
206 safe, 0 otherwise.
207 interp marktrusted path │
209 Marks the interpreter identified by path as trusted. Does not │
210 expose the hidden commands. This command can only be invoked │
211 from a trusted interpreter. The command has no effect if the │
212 interpreter identified by path is already trusted.
213 interp recursionlimit path ?newlimit?
215 Returns the maximum allowable nesting depth for the interpreter
216 specified by path. If newlimit is specified, the interpreter
217 recursion limit will be set so that nesting of more than
218 newlimit calls to Tcl_Eval() and related procedures in that
219 interpreter will return an error. The newlimit value is also
220 returned. The newlimit value must be a positive integer between
221 1 and the maximum value of a non-long integer on the platform.
222 The command sets the maximum size of the Tcl call stack only. It
224 cannot by itself prevent stack overflows on the C stack being
225 used by the application. If your machine has a limit on the size
226 of the C stack, you may get stack overflows before reaching the
227 limit set by the command. If this happens, see if there is a
228 mechanism in your system for increasing the maximum size of the
229 C stack.
230 interp share srcPath channelId destPath
232 Causes the IO channel identified by channelId to become shared
233 between the interpreter identified by srcPath and the inter‐
234 preter identified by destPath. Both interpreters have the same
235 permissions on the IO channel. Both interpreters must close it
236 to close the underlying IO channel; IO channels accessible in an
237 interpreter are automatically closed when an interpreter is
238 destroyed.
239 interp slaves ?path?
241 Returns a Tcl list of the names of all the slave interpreters
242 associated with the interpreter identified by path. If path is
243 omitted, the invoking interpreter is used.
244 interp target path alias
246 Returns a Tcl list describing the target interpreter for an
247 alias. The alias is specified with an interpreter path and
248 source command name, just as in interp alias above. The name of
249 the target interpreter is returned as an interpreter path, rela‐
250 tive to the invoking interpreter. If the target interpreter for
251 the alias is the invoking interpreter then an empty list is
252 returned. If the target interpreter for the alias is not the
253 invoking interpreter or one of its descendants then an error is
254 generated. The target command does not have to be defined at
255 the time of this invocation.
256 interp transfer srcPath channelId destPath
258 Causes the IO channel identified by channelId to become avail‐
259 able in the interpreter identified by destPath and unavailable
260 in the interpreter identified by srcPath.
261
263 For each slave interpreter created with the interp command, a new Tcl
264 command is created in the master interpreter with the same name as the
265 new interpreter. This command may be used to invoke various operations
266 on the interpreter. It has the following general form:
267 slave command ?arg arg ...?
268 Slave is the name of the interpreter, and command and the args deter‐
269 mine the exact behavior of the command. The valid forms of this com‐
270 mand are:
271 slave aliases
273 Returns a Tcl list whose elements are the tokens of all the
274 aliases in slave. The tokens correspond to the values returned
275 when the aliases were created (which may not be the same as the
276 current names of the commands).
277 slave alias srcToken
279 Returns a Tcl list whose elements are the targetCmd and args
280 associated with the alias represented by srcToken (this is the
281 value returned when the alias was created; it is possible that
282 the actual source command in the slave is different from srcTo‐
283 ken).
284 slave alias srcToken {}
286 Deletes the alias for srcToken in the slave interpreter. srcTo‐
287 ken refers to the value returned when the alias was created; if
288 the source command has been renamed, the renamed command will be
289 deleted.
290 slave alias srcCmd targetCmd ?arg ..?
292 Creates an alias such that whenever srcCmd is invoked in slave,
293 targetCmd is invoked in the master. The arg arguments will be
294 passed to targetCmd as additional arguments, prepended before
295 any arguments passed in the invocation of srcCmd. See ALIAS
296 INVOCATION below for details. The command returns a token that
297 uniquely identifies the command created srcCmd, even if the com‐
298 mand is renamed afterwards. The token may but does not have to
299 be equal to srcCmd.
300 slave eval arg ?arg ..?
302 This command concatenates all of the arg arguments in the same
303 fashion as the concat command, then evaluates the resulting
304 string as a Tcl script in slave. The result of this evaluation
305 (including error information such as the errorInfo and errorCode
306 variables, if an error occurs) is returned to the invoking
307 interpreter. Note that the script will be executed in the cur‐
308 rent context stack frame of slave; this is so that the implemen‐
309 tations (in a master interpreter) of aliases in a slave inter‐
310 preter can execute scripts in the slave that find out informa‐
311 tion about the slave's current state and stack frame.
312 slave expose hiddenName ?exposedCmdName? │
314 This command exposes the hidden command hiddenName, eventually │
315 bringing it back under a new exposedCmdName name (this name is │
316 currently accepted only if it is a valid global name space name │
317 without any ::), in slave. If an exposed command with the tar‐ │
318 geted name already exists, this command fails. For more details │
319 on hidden commands, see HIDDEN COMMANDS, below. │
320 slave hide exposedCmdName ?hiddenCmdName? │
322 This command hides the exposed command exposedCmdName, renaming │
323 it to the hidden command hiddenCmdName, or keeping the same name │
324 if the argument is not given, in the slave interpreter. If a │
325 hidden command with the targeted name already exists, this com‐ │
326 mand fails. Currently both exposedCmdName and hiddenCmdName can │
327 not contain namespace qualifiers, or an error is raised. Com‐ │
328 mands to be hidden are looked up in the global namespace even if │
329 the current namespace is not the global one. This prevents │
330 slaves from fooling a master interpreter into hiding the wrong │
331 command, by making the current namespace be different from the │
332 global one. For more details on hidden commands, see HIDDEN │
333 COMMANDS, below. │
334 slave hidden │
336 Returns a list of the names of all hidden commands in slave. │
337 slave invokehidden ?-global hiddenName ?arg ..? │
339 This command invokes the hidden command hiddenName with the sup‐ │
340 plied arguments, in slave. No substitutions or evaluations are │
341 applied to the arguments. If the -global flag is given, the │
342 command is invoked at the global level in the slave; otherwise │
343 it is invoked at the current call frame and can access local │
344 variables in that or outer call frames. For more details on │
345 hidden commands, see HIDDEN COMMANDS, below.
346 slave issafe
348 Returns 1 if the slave interpreter is safe, 0 otherwise.
349 slave marktrusted │
351 Marks the slave interpreter as trusted. Can only be invoked by a │
352 trusted interpreter. This command does not expose any hidden │
353 commands in the slave interpreter. The command has no effect if │
354 the slave is already trusted.
355 slave recursionlimit ?newlimit?
357 Returns the maximum allowable nesting depth for the slave inter‐
358 preter. If newlimit is specified, the recursion limit in slave
359 will be set so that nesting of more than newlimit calls to
360 Tcl_Eval() and related procedures in slave will return an error.
361 The newlimit value is also returned. The newlimit value must be
362 a positive integer between 1 and the maximum value of a non-long
363 integer on the platform.
364 The command sets the maximum size of the Tcl call stack only. It
366 cannot by itself prevent stack overflows on the C stack being
367 used by the application. If your machine has a limit on the size
368 of the C stack, you may get stack overflows before reaching the
369 limit set by the command. If this happens, see if there is a
370 mechanism in your system for increasing the maximum size of the
371 C stack.
372
374 A safe interpreter is one with restricted functionality, so that is
375 safe to execute an arbitrary script from your worst enemy without fear
376 of that script damaging the enclosing application or the rest of your
377 computing environment. In order to make an interpreter safe, certain
378 commands and variables are removed from the interpreter. For example,
379 commands to create files on disk are removed, and the exec command is
380 removed, since it could be used to cause damage through subprocesses.
381 Limited access to these facilities can be provided, by creating aliases
382 to the master interpreter which check their arguments carefully and
383 provide restricted access to a safe subset of facilities. For example,
384 file creation might be allowed in a particular subdirectory and subpro‐
385 cess invocation might be allowed for a carefully selected and fixed set
386 of programs.
387 A safe interpreter is created by specifying the -safe switch to the
389 interp create command. Furthermore, any slave created by a safe inter‐
390 preter will also be safe.
391 A safe interpreter is created with exactly the following set of built-
393 in commands: after append array binary
394 break case catch clock close concat con‐
395 tinue eof error eval expr fblocked
396 fcopy fileevent flush for foreach for‐
397 mat gets global if incr info interp
398 join lappend lindex linsert
399 list llength lrange lreplace
400 lsearch lsort namespace package
401 pid proc puts read regexp reg‐
402 sub rename return scan seek set split
403 string subst switch tell
404 time trace unset update
405 uplevel upvar variable vwait while
406 The following commands are hidden by interp create when it creates a │
407 safe interpreter: cd encoding exec exit fconfig‐ │
408 ure file glob load │
409 open pwd socket source These commands can be recre‐ │
410 ated later as Tcl procedures or aliases, or re-exposed by interp │
411 expose. │
412 The following commands from Tcl's library of support procedures are not │
414 present in a safe interpreter: │
415 auto_exec_ok auto_import auto_load auto_load_index auto_qual‐ │
416 ify unknown Note in particular that safe interpreters have no │
417 default unknown command, so Tcl's default autoloading facilities are │
418 not available. Autoload access to Tcl's commands that are normally │
419 autoloaded: auto_mkindex auto_mkindex_old │
420 auto_reset history parray pkg_mkIndex │
421 ::pkg::create ::safe::interpAddToAccessPath ::safe::interpCre‐ │
422 ate ::safe::interpConfigure ::safe::interpDelete ::safe::interpFindI‐ │
423 nAccessPath ::safe::interpInit ::safe::setLogCmd tcl_endOf‐ │
424 Word tcl_findLibrary tcl_startOfNextWord tcl_startOfPrevious‐ │
425 Word tcl_wordBreakAfter tcl_wordBreakBefore can only be provided by │
426 explicit definition of an unknown command in the safe interpreter. │
427 This will involve exposing the source command. This is most easily │
428 accomplished by creating the safe interpreter with Tcl's Safe-Tcl mech‐ │
429 anism. Safe-Tcl provides safe versions of source, load, and other Tcl │
430 commands needed to support autoloading of commands and the loading of │
431 packages.
432 In addition, the env variable is not present in a safe interpreter, so
434 it cannot share environment variables with other interpreters. The env
435 variable poses a security risk, because users can store sensitive
436 information in an environment variable. For example, the PGP manual
437 recommends storing the PGP private key protection password in the envi‐
438 ronment variable PGPPASS. Making this variable available to untrusted
439 code executing in a safe interpreter would incur a security risk.
440 If extensions are loaded into a safe interpreter, they may also
442 restrict their own functionality to eliminate unsafe commands. For a
443 discussion of management of extensions for safety see the manual
444 entries for Safe-Tcl and the load Tcl command.
445 A safe interpreter may not alter the recursion limit of any inter‐
447 preter, including itself.
448
450 The alias mechanism has been carefully designed so that it can be used
451 safely when an untrusted script is executing in a safe slave and the
452 target of the alias is a trusted master. The most important thing in
453 guaranteeing safety is to ensure that information passed from the slave
454 to the master is never evaluated or substituted in the master; if this
455 were to occur, it would enable an evil script in the slave to invoke
456 arbitrary functions in the master, which would compromise security.
457 When the source for an alias is invoked in the slave interpreter, the
459 usual Tcl substitutions are performed when parsing that command. These
460 substitutions are carried out in the source interpreter just as they
461 would be for any other command invoked in that interpreter. The com‐
462 mand procedure for the source command takes its arguments and merges
463 them with the targetCmd and args for the alias to create a new array of
464 arguments. If the words of srcCmd were ``srcCmd arg1 arg2 ... argN'',
465 the new set of words will be ``targetCmd arg arg ... arg arg1 arg2 ...
466 argN'', where targetCmd and args are the values supplied when the alias
467 was created. TargetCmd is then used to locate a command procedure in
468 the target interpreter, and that command procedure is invoked with the
469 new set of arguments. An error occurs if there is no command named
470 targetCmd in the target interpreter. No additional substitutions are
471 performed on the words: the target command procedure is invoked
472 directly, without going through the normal Tcl evaluation mechanism.
473 Substitutions are thus performed on each word exactly once: targetCmd
474 and args were substituted when parsing the command that created the
475 alias, and arg1 - argN are substituted when the alias's source command
476 is parsed in the source interpreter.
477 When writing the targetCmds for aliases in safe interpreters, it is
479 very important that the arguments to that command never be evaluated or
480 substituted, since this would provide an escape mechanism whereby the
481 slave interpreter could execute arbitrary code in the master. This in
482 turn would compromise the security of the system. │
483
485 Safe interpreters greatly restrict the functionality available to Tcl │
486 programs executing within them. Allowing the untrusted Tcl program to │
487 have direct access to this functionality is unsafe, because it can be │
488 used for a variety of attacks on the environment. However, there are │
489 times when there is a legitimate need to use the dangerous functional‐ │
490 ity in the context of the safe interpreter. For example, sometimes a │
491 program must be sourced into the interpreter. Another example is Tk, │
492 where windows are bound to the hierarchy of windows for a specific │
493 interpreter; some potentially dangerous functions, e.g. window manage‐ │
494 ment, must be performed on these windows within the interpreter con‐ │
495 text. │
496 The interp command provides a solution to this problem in the form of │
498 hidden commands. Instead of removing the dangerous commands entirely │
499 from a safe interpreter, these commands are hidden so they become │
500 unavailable to Tcl scripts executing in the interpreter. However, such │
501 hidden commands can be invoked by any trusted ancestor of the safe │
502 interpreter, in the context of the safe interpreter, using interp │
503 invoke. Hidden commands and exposed commands reside in separate name │
504 spaces. It is possible to define a hidden command and an exposed com‐ │
505 mand by the same name within one interpreter. │
506 Hidden commands in a slave interpreter can be invoked in the body of │
508 procedures called in the master during alias invocation. For example, │
509 an alias for source could be created in a slave interpreter. When it is │
510 invoked in the slave interpreter, a procedure is called in the master │
511 interpreter to check that the operation is allowable (e.g. it asks to │
512 source a file that the slave interpreter is allowed to access). The │
513 procedure then it invokes the hidden source command in the slave inter‐ │
514 preter to actually source in the contents of the file. Note that two │
515 commands named source exist in the slave interpreter: the alias, and │
516 the hidden command. │
517 Because a master interpreter may invoke a hidden command as part of │
519 handling an alias invocation, great care must be taken to avoid evalu‐ │
520 ating any arguments passed in through the alias invocation. Otherwise, │
521 malicious slave interpreters could cause a trusted master interpreter │
522 to execute dangerous commands on their behalf. See the section on ALIAS │
523 INVOCATION for a more complete discussion of this topic. To help avoid │
524 this problem, no substitutions or evaluations are applied to arguments │
525 of interp invokehidden. │
526 Safe interpreters are not allowed to invoke hidden commands in them‐ │
528 selves or in their descendants. This prevents safe slaves from gaining │
529 access to hidden functionality in themselves or their descendants. │
530 The set of hidden commands in an interpreter can be manipulated by a │
532 trusted interpreter using interp expose and interp hide. The interp │
533 expose command moves a hidden command to the set of exposed commands in │
534 the interpreter identified by path, potentially renaming the command in │
535 the process. If an exposed command by the targeted name already exists, │
536 the operation fails. Similarly, interp hide moves an exposed command to │
537 the set of hidden commands in that interpreter. Safe interpreters are │
538 not allowed to move commands between the set of hidden and exposed com‐ │
539 mands, in either themselves or their descendants. │
540 Currently, the names of hidden commands cannot contain namespace quali‐ │
542 fiers, and you must first rename a command in a namespace to the global │
543 namespace before you can hide it. Commands to be hidden by interp hide │
544 are looked up in the global namespace even if the current namespace is │
545 not the global one. This prevents slaves from fooling a master inter‐ │
546 preter into hiding the wrong command, by making the current namespace │
547 be different from the global one.
548
550 This mechanism is based on the Safe-Tcl prototype implemented by
551 Nathaniel Borenstein and Marshall Rose.
552
554 Creating and using an alias for a command in the current interpreter:
555 interp alias {} getIndex {} lsearch {alpha beta gamma delta}
556 set idx [getIndex delta]
557 Executing an arbitrary command in a safe interpreter where every
559 invokation of lappend is logged:
560 set i [interp create -safe]
561 interp hide $i lappend
562 interp alias $i lappend {} loggedLappend $i
563 proc loggedLappend {i args} {
564 puts "logged invokation of lappend $args"
565 # Be extremely careful about command construction
566 eval [linsert $args 0 \
567 interp invokehidden $i lappend]
568 }
569 interp eval $i $someUntrustedScript
570
573 load(n), safe(n), Tcl_CreateSlave(3)
574
577 alias, master interpreter, safe interpreter, slave interpreter
578Tcl 7.6 interp(n)