Hypnotoad <
yo...@etoyoc.com> wrote:
> On Saturday, November 18, 2017 at 10:31:14 AM UTC-5, Rich wrote:
>> Hypnotoad <
yo...@etoyoc.com> wrote:
>> > The kit-like behaviors are as follows:
>> >
>> > 1) If the tcl executable has an attached zip file system, mount it
>> > 2) If a file named main.tcl is the root of that file system, treat
>> > that as the tcl startup script
>> > 3) If a file named tcl_library/init.tcl is in that file system,
>> > make the directory it is in the value of TCL_LIBRARY
>>
>> Are #2 & #3 only performed if #1 occurs? Your posting implies "yes"
>> but is not 100% clear on this fact.
>>
>> Because if #2 and/or #3 always occur upon mounting a zip, then these
>> two would lead to a MSWin style "autorun" security problem with
>> using the zipfs in general to access zip files.
>
> Sorry about that. Yes indeed, steps 2 and 3 are predicated on a
> successful mounting of the file system in step 1.
Good. That is the more secure path.
> The kit-like behaviors are ONLY performed at process startup, and
> ONLY on the actual executable that spawned the process. Just
> mounting a volume does not trigger any of these behaviors. And the
> search for TCL_LIBRARY is only done once at process startup. And
> only if the application doesn't specify a TCL_LOCAL_MAIN_HOOK.
Might I suggest that when you do write the manpage/docs for this, that
you make this behavior 100% explicitly clear in the docs.
> I was kicking around the idea of having a convention to automatically
> search for a pkgIndex.tcl file on any mount. But the security issues
> you describe makes that sound like a terrible idea so let us continue
> to NOT do that.
It is not a good idea at all. MS had tons of security problems back in
the day of CDROM's due to their OS'es of the day automatically running
an "autorun.bat" (or something like that) by simply inserting a CD/DVD
into a drive. There was an override (hold down shift key while
inserting CD/DVD) but the very people most in danger of the possible
exploit were also the very ones least likely to know the override.
If I (or another dev.) want to search for and load modules/packages
from random zip's we mount, let us explicitly choose to add paths to
such places in the zips ourselves, fully aware of the implications.