Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Make sure all appropriate SQL function security precautions are in place. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
994a7c72d9412a00a853f47658946069 |
| User & Date: | drh 2020-11-29 19:30:20.695 |
Context
|
2020-11-29
| ||
| 19:33 | Allow the use of SQL functions in the schema for the ticket table. check-in: 4740cf7589 user: drh tags: trunk | |
| 19:30 | Make sure all appropriate SQL function security precautions are in place. check-in: 994a7c72d9 user: drh tags: trunk | |
| 12:50 | Additional defenses to prevent the db_protect() and db_protect_pop() SQL functions from being misused. check-in: 6ade35427f user: drh tags: trunk | |
Changes
Changes to src/checkout.c.
| ︙ | ︙ | |||
47 48 49 50 51 52 53 |
** current working directory and is not on the empty-dirs list.
*/
void uncheckout(int vid){
char *zPwd;
if( vid<=0 ) return;
sqlite3_create_function(g.db, "dirname",1,SQLITE_UTF8,0,
file_dirname_sql_function, 0, 0);
| | | | 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
** current working directory and is not on the empty-dirs list.
*/
void uncheckout(int vid){
char *zPwd;
if( vid<=0 ) return;
sqlite3_create_function(g.db, "dirname",1,SQLITE_UTF8,0,
file_dirname_sql_function, 0, 0);
sqlite3_create_function(g.db, "unlink",1,SQLITE_UTF8|SQLITE_DIRECTONLY,0,
file_delete_sql_function, 0, 0);
sqlite3_create_function(g.db, "rmdir", 1, SQLITE_UTF8|SQLITE_DIRECTONLY, 0,
file_rmdir_sql_function, 0, 0);
db_multi_exec(
"CREATE TEMP TABLE dir_to_delete(name TEXT %s PRIMARY KEY)WITHOUT ROWID",
filename_collation()
);
db_multi_exec(
"INSERT OR IGNORE INTO dir_to_delete(name)"
|
| ︙ | ︙ |
Changes to src/db.c.
| ︙ | ︙ | |||
1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 |
SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE,
g.zVfsName
);
if( rc!=SQLITE_OK ){
db_err("[%s]: %s", zDbName, sqlite3_errmsg(db));
}
db_maybe_set_encryption_key(db, zDbName);
sqlite3_busy_timeout(db, 15000);
sqlite3_wal_autocheckpoint(db, 1); /* Set to checkpoint frequently */
sqlite3_create_function(db, "user", 0, SQLITE_UTF8, 0, db_sql_user, 0, 0);
sqlite3_create_function(db, "cgi", 1, SQLITE_UTF8, 0, db_sql_cgi, 0, 0);
sqlite3_create_function(db, "cgi", 2, SQLITE_UTF8, 0, db_sql_cgi, 0, 0);
sqlite3_create_function(db, "print", -1, SQLITE_UTF8, 0,db_sql_print,0,0);
sqlite3_create_function(
db, "is_selected", 1, SQLITE_UTF8, 0, file_is_selected,0,0
);
sqlite3_create_function(
db, "if_selected", 3, SQLITE_UTF8, 0, file_is_selected,0,0
);
if( g.fSqlTrace ) sqlite3_trace_v2(db, SQLITE_TRACE_PROFILE, db_sql_trace, 0);
db_add_aux_functions(db);
re_add_sql_func(db); /* The REGEXP operator */
foci_register(db); /* The "files_of_checkin" virtual table */
| > > > > > < | 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 |
SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE,
g.zVfsName
);
if( rc!=SQLITE_OK ){
db_err("[%s]: %s", zDbName, sqlite3_errmsg(db));
}
db_maybe_set_encryption_key(db, zDbName);
sqlite3_db_config(db, SQLITE_DBCONFIG_ENABLE_FKEY, 0, &rc);
sqlite3_db_config(db, SQLITE_DBCONFIG_TRUSTED_SCHEMA, 0, &rc);
sqlite3_db_config(db, SQLITE_DBCONFIG_DQS_DDL, 0, &rc);
sqlite3_db_config(db, SQLITE_DBCONFIG_DQS_DML, 0, &rc);
sqlite3_db_config(db, SQLITE_DBCONFIG_DEFENSIVE, 1, &rc);
sqlite3_busy_timeout(db, 15000);
sqlite3_wal_autocheckpoint(db, 1); /* Set to checkpoint frequently */
sqlite3_create_function(db, "user", 0, SQLITE_UTF8, 0, db_sql_user, 0, 0);
sqlite3_create_function(db, "cgi", 1, SQLITE_UTF8, 0, db_sql_cgi, 0, 0);
sqlite3_create_function(db, "cgi", 2, SQLITE_UTF8, 0, db_sql_cgi, 0, 0);
sqlite3_create_function(db, "print", -1, SQLITE_UTF8, 0,db_sql_print,0,0);
sqlite3_create_function(
db, "is_selected", 1, SQLITE_UTF8, 0, file_is_selected,0,0
);
sqlite3_create_function(
db, "if_selected", 3, SQLITE_UTF8, 0, file_is_selected,0,0
);
if( g.fSqlTrace ) sqlite3_trace_v2(db, SQLITE_TRACE_PROFILE, db_sql_trace, 0);
db_add_aux_functions(db);
re_add_sql_func(db); /* The REGEXP operator */
foci_register(db); /* The "files_of_checkin" virtual table */
sqlite3_set_authorizer(db, db_top_authorizer, db);
return db;
}
/*
** Detaches the zLabel database.
|
| ︙ | ︙ |
Changes to src/update.c.
| ︙ | ︙ | |||
593 594 595 596 597 598 599 |
** Clean up the mid and pid VFILE entries. Then commit the changes.
*/
if( dryRunFlag ){
db_end_transaction(1); /* With --dry-run, rollback changes */
}else{
char *zPwd;
ensure_empty_dirs_created(1);
| | | 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 |
** Clean up the mid and pid VFILE entries. Then commit the changes.
*/
if( dryRunFlag ){
db_end_transaction(1); /* With --dry-run, rollback changes */
}else{
char *zPwd;
ensure_empty_dirs_created(1);
sqlite3_create_function(g.db, "rmdir", 1, SQLITE_UTF8|SQLITE_DIRECTONLY, 0,
file_rmdir_sql_function, 0, 0);
zPwd = file_getcwd(0,0);
db_multi_exec(
"SELECT rmdir(%Q||name) FROM dir_to_delete"
" WHERE (%Q||name)<>%Q ORDER BY name DESC",
g.zLocalRoot, g.zLocalRoot, zPwd
);
|
| ︙ | ︙ |