The Safe Tcl Interpreter

Tcl scripts are executed in an interpreter. The script language has a safe interpreter that blocks all access to the system and therefore completely protects the system from being compromised.

Scripts that can be maintained via the GUI or the XML interface are always executed in the safe interpreter. This is true for the following checks and functions:

  • Value assignment function (callback) and value display function (displayValueCallback) for fields.
  • Version assignment function (recordSetCallback). Here the open command, restricted to the blob files passed to the function, is additionally available.
  • Workflow assignment function (workflowModification)
  • Completion check (completionCheck)

Conversely, all routines that require write access to files are not executed in the safe interpreter but in the standard interpreter:

  • The link function (linkCallback)
  • The post-action function (notificationCmd)
  • SystemExecute procedures
  • Formatter procedures for field values and links (dynamicLinkFormatter)
  • generateThumbnail
  • User manager functions (usermanAPI)
  • All Tcl files read in during system startup

Most of the procedures associated with these system calls are also available in the safe interpreter. This is a requirement for procedures executed by custom commands. It is desirable for user manager functions.

Tcl procedures can be registered with the safe interpreter using safeInterp alias serverProc clientProc.