-C Make\sthe\sunix\sVFS\sdefensive\sagainst\sthe\serror\sof\shaving\sa\sdatabase\sfile\sopen\non\sfile\sdescriptors\s1\sor\s2,\sas\san\serror\smessage\smight\seasily\sbe\swritten\sonto\nthose\sfile\sdescriptors\sand\sthus\soverwrite\sand\scorrupt\sthe\sdatabase.
-D 2013-08-29T23:36:49.784
+C Improvements\sto\sthe\srobust_open()\slogic\sin\sthe\sunix\sVFS\sso\sthat\sif\san\sattempt\nis\smade\sto\sopen\sa\srepository\son\sfile\sdescriptors\s0,\s1,\sor\s2,\sand\sblocking\nthat\sfile\sdescriptor\sby\sopening\sit\son\s/dev/null\sfails,\sthen\sthe\sopen\swill\nfail.
+D 2013-08-30T06:20:23.091
F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
F Makefile.in 5e41da95d92656a5004b03d3576e8b226858a28e
F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
F src/os.c b4ad71336fd96f97776f75587cd9e8218288f5be
F src/os.h 4a46270a64e9193af4a0aaa3bc2c66dc07c29b3f
F src/os_common.h 92815ed65f805560b66166e3583470ff94478f04
-F src/os_unix.c 45d425550a86e6464b494574df43b6e2efc98003
+F src/os_unix.c 81271e38084e74ddc6602ee5a80ea0a7d5dfacf9
F src/os_win.c 26d752736dff0c7e4e384ab65b353cce1e7e19c5
F src/pager.c 2aa4444ffe86e9282d03bc349a4a5e49bd77c0e8
F src/pager.h f094af9f6ececfaa8a1e93876905a4f34233fb0c
F tool/warnings.sh fbc018d67fd7395f440c28f33ef0f94420226381
F tool/wherecosttest.c f407dc4c79786982a475261866a161cd007947ae
F tool/win/sqlite.vsix 97894c2790eda7b5bce3cc79cb2a8ec2fde9b3ac
-P d4b6ad3333cc3bad500c2ebf7a6ea552b6762b69 66dddda06898abbf97fe0ac6a10ce1527ca8605e
-R fe0bcec8f0ab9128b1355459470b05e0
+P 30d38cc44904d93508b87e373b2f45d5f93e556b
+R f7758c6eac86fc614b8a8bb0a78752f4
U drh
-Z 9dc425ab0a1c3ed5b98a1a49ce3d4048
+Z 3dd4af0a8c411dcbaa133c8880e5be77
return 0;
}
-/*
-** If fd is a file descriptor that would be dangerous to use for an
-** ordinary file, the close it, reopen it as /dev/null to get it out
-** of the way, then return true.
-**
-** If fd is safe, return 0.
-**
-** It is dangerous to have a database file open of file descriptors 1 or
-** 2 because those normally mean standard output and standard error. Other
-** components of the system might write directly to those file descriptors
-** and overwrite parts of the database file. Something like this happened
-** on 2013-08-29 to the canonical Fossil repository when some error caused
-** the database file to be opened on file descriptor 2 and later an assert()
-** fired and wrote error message text into file descriptor 2, corrupting
-** the repository.
-*/
-static int isReservedFd(int fd, const char *z, int f, int m){
- if( fd<0 || fd>2 ) return 0;
- sqlite3_log(SQLITE_WARNING,
- "attempt to open \"%s\" as file descriptor %d", z, fd);
- osClose(fd);
- (void)osOpen("/dev/null",f,m);
- return 1;
-}
-
/*
** Invoke open(). Do so multiple times, until it either succeeds or
** fails for some reason other than EINTR.
static int robust_open(const char *z, int f, mode_t m){
int fd;
mode_t m2 = m ? m : SQLITE_DEFAULT_FILE_PERMISSIONS;
- do{
+ while(1){
#if defined(O_CLOEXEC)
fd = osOpen(z,f|O_CLOEXEC,m2);
#else
fd = osOpen(z,f,m2);
#endif
- }while( (fd<0 && errno==EINTR) || isReservedFd(fd,z,f,m2) );
+ if( fd<0 ){
+ if( errno==EINTR ) continue;
+ break;
+ }
+ if( fd>2 ) break;
+ osClose(fd);
+ sqlite3_log(SQLITE_WARNING,
+ "attempt to open \"%s\" as file descriptor %d", z, fd);
+ fd = -1;
+ if( osOpen("/dev/null", f, m)<0 ) break;
+ }
if( fd>=0 ){
if( m!=0 ){
struct stat statbuf;
projects / thirdparty / sqlite.git / commitdiff
