Known Security Problems

[Tcl Plugin | Sun Home | Safe-Tcl]

The following is a list of known security problems with the current version of the plugin:

• The plugin does not implement resource controls. Thus, it is quite easy to write Tcl scripts that successfully mount resource attacks such as running in an infinite loop or computing an unbounded string.
• An applet can request a huge canvas and crash Tk because it cannot allocate a pixmap large enough.
• Asking for large pointsize fonts can take a very long time (for instance 50 seconds to get Times 1000). And when you ask for a large Chinese font, that can take 256 times longer! While it is fetching the font, the system is effectively in a global grab & unresponsive: you can't ctrl-C the program or click on another window and kill it. If you asked for Times 1<<30, you would never get your system back.