Fossil

Check-in [719dfbb95d]
Login
Home Timeline Docs Forum Download

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:But, do not allow access to private columns of fx_ tables unless the user has "Email" privilege (letter "e").
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 719dfbb95d3e545e43d6153bcadb2b024dccd9264564562df4255b34c84c686d
User & Date: drh 2021-04-08 00:47:17.429
Context
2021-04-08
01:07
But, do not allow access to private columns of fx_ tables unless the user has "Email" privilege (letter "e"). ... (check-in: 96b0c1ffac user: drh tags: branch-2.14)
01:05
But, do not allow access to private columns of fx_ tables unless the user has "Email" privilege (letter "e"). ... (check-in: 0986dabb16 user: drh tags: branch-2.15)
00:55
Backout [5c5aa19cc5098ac2] - we want words for the menu items, not obscure unicode symbols. I'm not sure what that check-in was all about. ... (check-in: 1a1c0ebe3c user: drh tags: trunk)
00:47
But, do not allow access to private columns of fx_ tables unless the user has "Email" privilege (letter "e"). ... (check-in: 719dfbb95d user: drh tags: trunk)
2021-04-07
23:32
Bug fix: Restore access to tables whose names start with "fx_" in ticket reports. Broken by check-in [5e7dc8a6f51818e6]. ... (check-in: cfb6e5eae3 user: drh tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/report.c. 
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227




228
229
230
231
232
233
234

      if( zArg1==0 ){
        /* Some legacy versions of SQLite will sometimes send spurious
        ** READ authorizations that have no table name.  These can be
        ** ignored. */
        rc = SQLITE_IGNORE;
        break;
      }
      if( sqlite3_strnicmp(zArg1, "fx_", 3)==0 ){
        /* Ok to read any table whose name begins with "fx_" */
        rc = SQLITE_OK;
        break;
      }
      while( lwr<=upr ){
        int i = (lwr+upr)/2;
        cmp = fossil_stricmp(zArg1, azAllowed[i]);
        if( cmp<0 ){
          upr = i - 1;
        }else if( cmp>0 ){
          lwr = i + 1;
        }else{
          break;
        }
      }




      if( cmp ){
        *(char**)pError = mprintf("access to table \"%s\" is restricted",zArg1);
        rc = SQLITE_DENY;
      }else if( !g.perm.RdAddr && sqlite3_strnicmp(zArg2, "private_", 8)==0 ){
        rc = SQLITE_IGNORE;
      }
      break;








<
<
<
<
<











>
>
>
>








205
206
207
208
209
210
211





212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233

      if( zArg1==0 ){
        /* Some legacy versions of SQLite will sometimes send spurious
        ** READ authorizations that have no table name.  These can be
        ** ignored. */
        rc = SQLITE_IGNORE;
        break;
      }





      while( lwr<=upr ){
        int i = (lwr+upr)/2;
        cmp = fossil_stricmp(zArg1, azAllowed[i]);
        if( cmp<0 ){
          upr = i - 1;
        }else if( cmp>0 ){
          lwr = i + 1;
        }else{
          break;
        }
      }
      if( cmp ){
        /* Always ok to access tables whose names begin with "fx_" */
        cmp = sqlite3_strnicmp(zArg1, "fx_", 3);
      }
      if( cmp ){
        *(char**)pError = mprintf("access to table \"%s\" is restricted",zArg1);
        rc = SQLITE_DENY;
      }else if( !g.perm.RdAddr && sqlite3_strnicmp(zArg2, "private_", 8)==0 ){
        rc = SQLITE_IGNORE;
      }
      break;
This page was generated in about 0.014s by Fossil 2.26 [1205ec86cb] 2025-04-30 16:57:32