NAME

network - Network communication using sockets for Safe-Tcl.

SYNOPSYS

socket host port

fconfigure channel ?options...?

DESCRIPTION

The network feature is installed into a Safe-Tcl interpreter by a security policy that enables this feature. This policy is called the controlling security policy, below. The network feature adds aliases to a Safe-Tcl interpreter to allow it to connect to remote services via network sockets.

The procedures that are provided by this feature are described in the PROCEDURES section, and the settings that control the behavior of these procedures at runtime are explained in the CONFIGURATION section. The security implications of this feature are discussed in the section SECURITY.

PROCEDURES

The network feature provides several aliases to an interpreter into which the feature is installed.

socket host port
The socket procedure opens a client network connection using the TCP protocol to a service running on the remote host host and listening on the port port. Only client sockets are supported, and no client side options are supported. For a description of the full socket command, see the socket manual page that is included with the Tcl 8.0 distribution. The host can be a network name such as www.sun.com, or a network address such as 129.23.102.34, or it can be the empty string to denote the host from which the Tclet was loaded. This allows a Tclet to connect back to the host it came from without having to have this information encoded in the Tclet itself. Only numeric ports are supported; this limited version of the socket command does not support connecting to services by name. The socket command returns the name of the new socket channel.

fconfigure sock ?options...?
This limited version of the fconfigure command disables the -peername option of the full command. All other options are fully supported. See the fconfigure manual entry that comes with the Tcl 8.0 distribution for a description of the options supported by this command.

CONFIGURATION

The socket command opens connections to hosts and ports allowed by settings in the hosts ports section of the configuration for the controlling security policy. Here is a hypothetical example:

section   hosts            ports
allow     www.sun.com      >1024
disallow  *.cs.mysite.edu  <1025
allow     *.cs.mysite.edu  1030

This configuration allows sockets to be opened on ports whose number is greater than 1024 on www.sun.com. It also disallows connections to any ports whose number is less than 1025 on all hosts in the network domain cs.mysite.edu. It also allows connections to services running on the well known port 1030 on all hosts in the network domain cs.mysite.edu.

SECURITY

This section discusses the risks inherent in the network feature and how to reduce these risks.

Network sockets allow a Tclet to connect to remote resources that are not under the client's control and which are not administered by the client. This poses a privacy risk because information that the Tclet gleans from the client's host may be disclosed to other parties not under the client's control. You must carefully consider the risks when combining this feature with other features, especially those that allow access to local resources such as files stored on the local file system.

There is no limit on the number of sockets that a Tclet can open at any one time. This can be used by malicious or erroneous Tclets to mount resource attacks, to cause the hosting applications to run out of network resources or file descriptors. When this happens, no other sub-system running in the hosting application will be able to make network connections using sockets. In the Tcl plugin, if the Tclet is executing in an external process and not in the address space of the hosting browser, only the external process runs out of network resources, while the hosting browser continues to be able to connect to remote sites. See the plugin manual entry for more details.

A socket can be maliciously or mistakenly be put into blocking mode, by using the fconfigure command. Sockets are in blocking mode when they are first opened with the socket command. If the Tclet tries to read from the socket when there is no input available, or if it tries to write when the output buffer is full, the Tclet can block the entire hosting application. In the Tcl plugin, if a Tclet is executing in an external process and not in the address space of the hosting browser, only the external process is blocked and the browser continues to function normally. Thus this only affects other Tclets that may be executing at the same time.

Another risk incurred by the network feature is a risk to your reputation. If you allow a Tclet to connect to the SMTP or NNTP services on any host, the Tclet can forge news articles or send electronic mail using your name. These articles, which appear to be from you, could contain damaging statements that you yourself would never write.

You can minimize these risk by carefully curtailing the hosts and ports to which a Tclet can connect in the hosts ports section of the configuration for the security policy used by the Tclet. Note that you should never allow connections to redirecting services such as FTP or HTTP proxy services, because you effectively lose control over which hosts the Tclet can connect to. Unless you have reason to trust the Tclet, you should probably also disallow connections to the NNTP and SMTP services on any hosts.

Carefully examine the set of hosts to which a connection can be made when specifying wildcards and patterns for host names in the configuration. Find out exactly what hosts are included or excluded by each pattern.

To minimize the chances of incorrect configuration, the network feature allows only connections to numeric ports and not to named services. This eliminates the possibility that a service would be disallowed by name but is port would be allowed.

If you do not have complete control over the accessible services executing on a host, avoid numeric ranges (e.g. >1024 or 3000-4000) in allow statements.

SEE ALSO

plugin, socket, policy, config, fconfigure, safe

KEYWORDS

configuration, Safe Base, Safe-Tcl, aliases, multiple interpreters, policy, sockets
Tcl Plugin 2.0