Fossil

Check-in [b4e00621e3]
Login
Home Timeline Docs Branches Tickets Wiki DownloadMore...

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Only apply the PROTECT_READONLY restriction to the "repository", "configdb", and "localdb" database files.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: b4e00621e3fb6b315f24f17b9400c2ba0480c9d428fcc84fafa5feb937c509d7
User & Date: drh 2022-12-29 19:49:42.291
Context
2022-12-29
20:09
Improved comments on the SQL protection subsystem. check-in: 0aa3483fa8 user: drh tags: trunk
19:49
Only apply the PROTECT_READONLY restriction to the "repository", "configdb", and "localdb" database files. check-in: b4e00621e3 user: drh tags: trunk
19:39
Fix the new read-only-repo security mechanism so that it enables write access when necessary. check-in: f8363db81b user: drh tags: trunk
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/db.c. 
538
539
540
541
542
543
544

545




546
547
548
549
550
551
552

        rc = SQLITE_DENY;
      }else if( (db.protectMask & PROTECT_SENSITIVE)!=0 &&
                sqlite3_stricmp(z0,"global_config")==0 ){
        fossil_errorlog(
          "SECURITY: authorizer blocks DML on protected GLOBAL_CONFIG table\n");
        rc = SQLITE_DENY;
      }else if( (db.protectMask & PROTECT_READONLY)!=0

                && sqlite3_stricmp(z2,"temp")!=0 ){




        fossil_errorlog(
          "SECURITY: authorizer blocks DML on table \"%s\" due to the "
          "request coming from a different origin\n", z0);
        rc = SQLITE_DENY;
      }
      break;
    }








>
|
>
>
>
>








538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557

        rc = SQLITE_DENY;
      }else if( (db.protectMask & PROTECT_SENSITIVE)!=0 &&
                sqlite3_stricmp(z0,"global_config")==0 ){
        fossil_errorlog(
          "SECURITY: authorizer blocks DML on protected GLOBAL_CONFIG table\n");
        rc = SQLITE_DENY;
      }else if( (db.protectMask & PROTECT_READONLY)!=0
                && (sqlite3_stricmp(z2, "repository")==0
                    || sqlite3_stricmp(z2,"configdb")==0
                    || sqlite3_stricmp(z2,"localdb")==0) ){
        /* The READONLY constraint only applies to persistent database files.
        ** "temp" and "mem1" and other transient databases are not
        ** constrained by READONLY. */
        fossil_errorlog(
          "SECURITY: authorizer blocks DML on table \"%s\" due to the "
          "request coming from a different origin\n", z0);
        rc = SQLITE_DENY;
      }
      break;
    }
This page was generated in about 0.02s by Fossil 2.26 [1205ec86cb] 2025-04-30 16:57:32