483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
|
}
/*
** Every Fossil database connection automatically registers the following
** overarching authenticator callback, and leaves it registered for the
** duration of the connection. This authenticator will call any
** sub-authenticators that are registered using db_set_authorizer().
*/
int db_top_authorizer(
void *pNotUsed,
int eCode,
const char *z0,
const char *z1,
const char *z2,
const char *z3
){
int rc = SQLITE_OK;
switch( eCode ){
case SQLITE_INSERT:
case SQLITE_UPDATE:
case SQLITE_DELETE: {
if( (db.protectMask & PROTECT_USER)!=0
&& sqlite3_stricmp(z0,"user")==0 ){
rc = SQLITE_DENY;
}else if( (db.protectMask & PROTECT_CONFIG)!=0 &&
(sqlite3_stricmp(z0,"config")==0 ||
sqlite3_stricmp(z0,"global_config")==0) ){
rc = SQLITE_DENY;
}else if( (db.protectMask & PROTECT_SENSITIVE)!=0 &&
sqlite3_stricmp(z0,"global_config")==0 ){
rc = SQLITE_DENY;
}else if( (db.protectMask & PROTECT_READONLY)!=0
&& sqlite3_stricmp(z2,"temp")!=0 ){
rc = SQLITE_DENY;
}
break;
}
case SQLITE_DROP_TEMP_TRIGGER: {
/* Do not allow the triggers that enforce PROTECT_SENSITIVE
** to be dropped */
rc = SQLITE_DENY;
break;
}
}
if( db.xAuth && rc==SQLITE_OK ){
rc = db.xAuth(db.pAuthArg, eCode, z0, z1, z2, z3);
}
|
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
|
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
|
}
/*
** Every Fossil database connection automatically registers the following
** overarching authenticator callback, and leaves it registered for the
** duration of the connection. This authenticator will call any
** sub-authenticators that are registered using db_set_authorizer().
**
** == Testing Notes ==
**
** Run Fossil as using a command like this:
**
** ./fossil sql --test --errorlog -
**
** Then enter SQL commands like one of these:
**
** SELECT db_protect('user');
** SELECT db_protect('config');
** SELECT db_protect('sensitive');
** SELECT db_protect('readonly');
** SELECT db_protect('all');
**
** Then try to do SQL statements that would violate the constraints and
** verify that SECURITY warnings appear in the error log output. See
** also the sqlcmd_db_protect() function in sqlcmd.c.
*/
int db_top_authorizer(
void *pNotUsed,
int eCode,
const char *z0,
const char *z1,
const char *z2,
const char *z3
){
int rc = SQLITE_OK;
switch( eCode ){
case SQLITE_INSERT:
case SQLITE_UPDATE:
case SQLITE_DELETE: {
if( (db.protectMask & PROTECT_USER)!=0
&& sqlite3_stricmp(z0,"user")==0 ){
fossil_errorlog(
"SECURITY: authorizer blocks DML on protected USER table\n");
rc = SQLITE_DENY;
}else if( (db.protectMask & PROTECT_CONFIG)!=0 &&
(sqlite3_stricmp(z0,"config")==0 ||
sqlite3_stricmp(z0,"global_config")==0) ){
fossil_errorlog(
"SECURITY: authorizer blocks DML on protected table \"%s\"\n", z0);
rc = SQLITE_DENY;
}else if( (db.protectMask & PROTECT_SENSITIVE)!=0 &&
sqlite3_stricmp(z0,"global_config")==0 ){
fossil_errorlog(
"SECURITY: authorizer blocks DML on protected GLOBAL_CONFIG table\n");
rc = SQLITE_DENY;
}else if( (db.protectMask & PROTECT_READONLY)!=0
&& sqlite3_stricmp(z2,"temp")!=0 ){
fossil_errorlog(
"SECURITY: authorizer blocks DML on table \"%s\" due to the\n"
"request coming from a different origin\n", z0);
rc = SQLITE_DENY;
}
break;
}
case SQLITE_DROP_TEMP_TRIGGER: {
/* Do not allow the triggers that enforce PROTECT_SENSITIVE
** to be dropped */
fossil_errorlog(
"SECURITY: authorizer blocks attempt to drop a temporary trigger\n");
rc = SQLITE_DENY;
break;
}
}
if( db.xAuth && rc==SQLITE_OK ){
rc = db.xAuth(db.pAuthArg, eCode, z0, z1, z2, z3);
}
|