422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
|
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
|
+
+
+
+
+
+
|
&& g.repositoryOpen
){
/* Create the triggers needed to protect sensitive settings from
** being created or modified the first time that PROTECT_SENSITIVE
** is enabled. Deleting a sensitive setting is harmless, so there
** is not trigger to block deletes. After being created once, the
** triggers persist for the life of the database connection. */
unsigned savedProtectMask = db.protectMask;
db.protectMask = 0;
db_multi_exec(
"CREATE TEMP TRIGGER protect_1 BEFORE INSERT ON config"
" WHEN protected_setting(new.name) BEGIN"
" SELECT raise(abort,'not authorized');"
"END;\n"
"CREATE TEMP TRIGGER protect_2 BEFORE UPDATE ON config"
" WHEN protected_setting(new.name) BEGIN"
" SELECT raise(abort,'not authorized');"
"END;\n"
);
db.bProtectTriggers = 1;
db.protectMask = savedProtectMask;
}
db.protectMask = flags;
}
void db_protect(unsigned flags){
db_protect_only(db.protectMask | flags);
}
void db_unprotect(unsigned flags){
if( db.nProtect>=count(db.aProtect)-2 ){
fossil_panic("too many db_unprotect() calls");
}
db.aProtect[db.nProtect++] = db.protectMask;
db.protectMask &= ~flags;
}
void db_protect_pop(void){
if( db.nProtect<1 ){
fossil_panic("too many db_protect_pop() calls");
}
db.protectMask = db.aProtect[--db.nProtect];
}
int db_is_protected(unsigned flags){
return (db.protectMask & flags)!=0;
}
/*
** Verify that the desired database write protections are in place.
** Throw a fatal error if not.
*/
void db_assert_protected(unsigned flags){
if( (flags & db.protectMask)!=flags ){
|
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
|
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
|
-
+
|
sqlite3_stricmp(z0,"global_config")==0 ){
fossil_errorlog(
"SECURITY: authorizer blocks DML on protected GLOBAL_CONFIG table\n");
rc = SQLITE_DENY;
}else if( (db.protectMask & PROTECT_READONLY)!=0
&& sqlite3_stricmp(z2,"temp")!=0 ){
fossil_errorlog(
"SECURITY: authorizer blocks DML on table \"%s\" due to the\n"
"SECURITY: authorizer blocks DML on table \"%s\" due to the "
"request coming from a different origin\n", z0);
rc = SQLITE_DENY;
}
break;
}
case SQLITE_DROP_TEMP_TRIGGER: {
/* Do not allow the triggers that enforce PROTECT_SENSITIVE
|
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
|
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
|
+
+
|
g.zAuxSchema = db_get("aux-schema","");
g.eHashPolicy = db_get_int("hash-policy",-1);
if( g.eHashPolicy<0 ){
g.eHashPolicy = hname_default_policy();
db_set_int("hash-policy", g.eHashPolicy, 0);
}
#if 0 /* No longer automatic. Need to run "fossil rebuild" to migrate */
/* Make a change to the CHECK constraint on the BLOB table for
** version 2.0 and later.
*/
rebuild_schema_update_2_0(); /* Do the Fossil-2.0 schema updates */
#endif
/* Additional checks that occur when opening the check-out database */
if( g.localOpen ){
/* If the repository database that was just opened has been
** eplaced by a clone of the same project, with different RID
** values, then renumber the RID values stored in various tables
|