From: drh Date: Sat, 4 Jan 2020 20:58:41 +0000 (+0000) Subject: Refactor the names of the new controls for restricting what actions the schema X-Git-Tag: version-3.31.0~45^2~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=67c826536fba0cf3f430fc1abe42e0795de50de5;p=thirdparty%2Fsqlite.git Refactor the names of the new controls for restricting what actions the schema can take behind the application's back. FossilOrigin-Name: 65d7d39a858c51ffd781f5a6335e029895e597aeb1e1ccdadea8ce79c8ad412f --- diff --git a/manifest b/manifest index fc1ba87890..d3b967c6de 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Enhance\sPRAGMA\sfunction_list\sto\sshow\sinternal\sfunctions\sif\sthe\sdirect\suse\nof\sinternal\sfunctions\sis\senabled\svia\sthe\sSQLITE_TESTCTRL_INTERNAL_FUNCTIONS\ntest\scontrol. -D 2020-01-04T19:58:28.209 +C Refactor\sthe\snames\sof\sthe\snew\scontrols\sfor\srestricting\swhat\sactions\sthe\sschema\ncan\stake\sbehind\sthe\sapplication's\sback. +D 2020-01-04T20:58:41.624 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724 @@ -492,7 +492,7 @@ F src/in-operator.md 10cd8f4bcd225a32518407c2fb2484089112fd71 F src/insert.c 5ba8fd376f539240939ae76b5bc9fa7ad9a0d86e9914ecd11eb7002204138c11 F src/legacy.c d7874bc885906868cd51e6c2156698f2754f02d9eee1bae2d687323c3ca8e5aa F src/loadext.c d74f5e7bd51f3c9d283442473eb65aef359664efd6513591c03f01881c4ae2da -F src/main.c 5e71133fdb94908d3575998fe13430a4875dd211e0cb48bc9e684f0a616d657e +F src/main.c 372f764daf1fd8f86ea87a2eb285faaed891300682e9fa5a2fd75c3a3e6c5af7 F src/malloc.c eaa4dc9602ce28b077f7de2eb275db2be270c5cc56d7fec5466301bd9b80e2f5 F src/mem0.c 6a55ebe57c46ca1a7d98da93aaa07f99f1059645 F src/mem1.c c12a42539b1ba105e3707d0e628ad70e611040d8f5e38cf942cee30c867083de @@ -526,14 +526,14 @@ F src/pragma.h 5bbfafd74cf085762b64e4e2b00242917951b30468e380bddd8be6c21789aec2 F src/prepare.c 6049beb71385f017af6fc320d2c75a4e50b75e280c54232442b785fbb83df057 F src/printf.c 9be6945837c839ba57837b4bc3af349eba630920fa5532aa518816defe42a7d4 F src/random.c 80f5d666f23feb3e6665a6ce04c7197212a88384 -F src/resolve.c c15dbf93b031e82fe19bfedacca72c520b616a0c02d6aac660073bf1ef5299ba +F src/resolve.c d368864894450413a78ab5381eea7f6deb2f1f7b10c7e6ca20cb345e5a7b9281 F src/rowset.c d977b011993aaea002cab3e0bb2ce50cf346000dff94e944d547b989f4b1fe93 F src/select.c 64bf450dc0f2b37be8d2be6ff7d25a70de37ef6fb64527c68f767fe9fe47bc55 -F src/shell.c.in 69462c95793d69a16df93deabbd6d026f5f6ef6c87d9da54ed1477c03490d17b -F src/sqlite.h.in 7f3178430f94f30a105bbaa6ed3ff44c9a16784d3d7783e306c0b9dd735ba599 +F src/shell.c.in 0fcf24b526e35eb2e02212e2504b695f79992ccc69b8be0f841276abea037008 +F src/sqlite.h.in 600fd6093a03112831e2658daac299d2a803ffcd3d7f4f6b091a447f79b4d6c2 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8 F src/sqlite3ext.h 72af51aa4e912e14cd495fb6e7fac65f0940db80ed950d90911aff292cc47ce2 -F src/sqliteInt.h 5a27f5858868acddf980dc879d02e6d1b1455853adc17ebab7376ab63fa0a505 +F src/sqliteInt.h 002066fa9a7ea1dacdca6f395968d4eed0fcf2978ac1f7528c61cb6e65f52e6e F src/sqliteLimit.h 1513bfb7b20378aa0041e7022d04acb73525de35b80b252f1b83fedb4de6a76b F src/status.c 9ff2210207c6c3b4d9631a8241a7d45ab1b26a0e9c84cb07a9b5ce2de9a3b278 F src/table.c b46ad567748f24a326d9de40e5b9659f96ffff34 @@ -1853,7 +1853,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0 -P b878c30f03e895bbc5c4c99c0f727d49093bb78bdc275593cf4852148579ae69 -R 2a316337c77b32f3140387723d41365c +P 7a8d7ca726666f4384925f959df0d58f7622229e06f1b5e643a3caccd539bb6e +R f9fb8a85043cff3871f686f554fff1c5 U drh -Z 5d85e17177ca37ac3e27744033bcda94 +Z 2b34921532ba1ddcc3f837ba912e08b2 diff --git a/manifest.uuid b/manifest.uuid index e5671db0ee..3d1543ad1f 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -7a8d7ca726666f4384925f959df0d58f7622229e06f1b5e643a3caccd539bb6e \ No newline at end of file +65d7d39a858c51ffd781f5a6335e029895e597aeb1e1ccdadea8ce79c8ad412f \ No newline at end of file diff --git a/src/main.c b/src/main.c index 6632e54a8a..b96d99038f 100644 --- a/src/main.c +++ b/src/main.c @@ -887,8 +887,7 @@ int sqlite3_db_config(sqlite3 *db, int op, ...){ { SQLITE_DBCONFIG_DQS_DDL, SQLITE_DqsDDL }, { SQLITE_DBCONFIG_DQS_DML, SQLITE_DqsDML }, { SQLITE_DBCONFIG_LEGACY_FILE_FORMAT, SQLITE_LegacyFileFmt }, - { SQLITE_DBCONFIG_UNSAFE_FUNC_IN_VIEW, SQLITE_UnsafeInView }, - { SQLITE_DBCONFIG_VTAB_IN_VIEW, SQLITE_VtabInView }, + { SQLITE_DBCONFIG_ENABLE_UNSAFE_DDL, SQLITE_UnsafeDDL }, }; unsigned int i; rc = SQLITE_ERROR; /* IMP: R-42790-23372 */ @@ -3128,8 +3127,7 @@ static int openDatabase( | SQLITE_EnableTrigger | SQLITE_EnableView | SQLITE_CacheSpill - | SQLITE_UnsafeInView - | SQLITE_VtabInView + | SQLITE_UnsafeDDL /* The SQLITE_DQS compile-time option determines the default settings ** for SQLITE_DBCONFIG_DQS_DDL and SQLITE_DBCONFIG_DQS_DML. diff --git a/src/resolve.c b/src/resolve.c index ef77d8be5d..c4321e3930 100644 --- a/src/resolve.c +++ b/src/resolve.c @@ -891,13 +891,13 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){ && !IN_RENAME_OBJECT ){ if( (pDef->funcFlags & SQLITE_FUNC_DIRECT)!=0 - || (pParse->db->flags & SQLITE_UnsafeInView)==0 + || (pParse->db->flags & SQLITE_UnsafeDDL)==0 ){ /* Functions prohibited in triggers and views if: ** (1) tagged with SQLITE_DIRECTONLY ** (2) not tagged with SQLITE_INNOCUOUS (which means it ** is tagged with SQLITE_FUNC_UNSAFE) and - ** SQLITE_DBCONFIG_UNSAFE_IN_VIEW is off + ** SQLITE_DBCONFIG_ENABLE_UNSAFE_DDL is off */ sqlite3ErrorMsg(pParse, "%s() prohibited in triggers and views", pDef->zName); diff --git a/src/shell.c.in b/src/shell.c.in index 25ab36e495..cd478d8d4d 100644 --- a/src/shell.c.in +++ b/src/shell.c.in @@ -7165,6 +7165,7 @@ static int do_meta_command(char *zLine, ShellState *p){ { "enable_fkey", SQLITE_DBCONFIG_ENABLE_FKEY }, { "enable_qpsg", SQLITE_DBCONFIG_ENABLE_QPSG }, { "enable_trigger", SQLITE_DBCONFIG_ENABLE_TRIGGER }, + { "enable_unsafe_ddl", SQLITE_DBCONFIG_ENABLE_UNSAFE_DDL }, { "enable_view", SQLITE_DBCONFIG_ENABLE_VIEW }, { "fts3_tokenizer", SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER }, { "legacy_alter_table", SQLITE_DBCONFIG_LEGACY_ALTER_TABLE }, @@ -7173,8 +7174,6 @@ static int do_meta_command(char *zLine, ShellState *p){ { "no_ckpt_on_close", SQLITE_DBCONFIG_NO_CKPT_ON_CLOSE }, { "reset_database", SQLITE_DBCONFIG_RESET_DATABASE }, { "trigger_eqp", SQLITE_DBCONFIG_TRIGGER_EQP }, - { "unsafe_func_in_view",SQLITE_DBCONFIG_UNSAFE_FUNC_IN_VIEW }, - { "vtab_in_view", SQLITE_DBCONFIG_VTAB_IN_VIEW }, { "writable_schema", SQLITE_DBCONFIG_WRITABLE_SCHEMA }, }; int ii, v; diff --git a/src/sqlite.h.in b/src/sqlite.h.in index dc8bf4a384..a49684ed0d 100644 --- a/src/sqlite.h.in +++ b/src/sqlite.h.in @@ -2265,31 +2265,19 @@ struct sqlite3_mem_methods { ** compile-time option. ** ** -** [[SQLITE_DBCONFIG_UNSAFE_FUNC_IN_VIEW]] -**
SQLITE_DBCONFIG_UNSAFE_FUNC_IN_VIEW -**
The SQLITE_DBCONFIG_UNSAFE_FUNC_IN_VIEW option activates or deactivates -** the ability to use SQL functions that have side-effects inside of -** triggers and views. For legacy compatibility, this setting defaults -** to "on". Applications that are operating on untrusted database files -** are advised to change this setting to "off". When this setting is on, -** only functions that have no side effects are usable inside of views. -** This prevents an attacker from modifying the schema of a database so -** that views and/or triggers with undesirable side-effects are run when -** the application innocently tries to access what it thinks is an ordinary -** table. -**
-** -** [[SQLITE_DBCONFIG_VTAB_IN_VIEW]] -**
SQLITE_DBCONFIG_VTAB_IN_VIEW -**
The SQLITE_DBCONFIG_VTAB_IN_VIEW option activates or deactivates -** the ability to use [virtual tables] inside of triggers and views. -** For legacy compatibility, this setting defaults -** to "on". Applications that are operating on untrusted database files -** are advised to change this setting to "off". Turning this setting off -** prevents an attacker from modifying the schema of a database so -** that views and/or triggers with undesirable side-effects are run when -** the application innocently tries to access what it thinks is an ordinary -** table. +** [[SQLITE_DBCONFIG_INDIRECT_UNSAFE]] +**
SQLITE_DBCONFIG_INDIRECT_UNSAFE +**
The SQLITE_DBCONFIG_INDIRECT_UNSAFE option activates or deactivates +** the ability to use "unsafe" SQL functions and virtual tables in the +** schema of the database. Using an SQL function or virtual table "in the +** schema" means using the rsource in a +** trigger, view, CHECK constraint, INDEX definition, generated column, +** default value, or in any other context that is part of the DDL for the +** database file. "Unsafe" SQL functions are SQL functions that are not +** tagged with [SQLITE_INNOCUOUS]. +**

For legacy compatibility, the SQLITE_DBCONFIG_INDIRECT_UNSAFE setting +** defaults to "on". Applications that are operating on untrusted database +** files are advised to change this setting to "off". **

** ** [[SQLITE_DBCONFIG_LEGACY_FILE_FORMAT]] @@ -2332,9 +2320,8 @@ struct sqlite3_mem_methods { #define SQLITE_DBCONFIG_DQS_DDL 1014 /* int int* */ #define SQLITE_DBCONFIG_ENABLE_VIEW 1015 /* int int* */ #define SQLITE_DBCONFIG_LEGACY_FILE_FORMAT 1016 /* int int* */ -#define SQLITE_DBCONFIG_UNSAFE_FUNC_IN_VIEW 1017 /* int int* */ -#define SQLITE_DBCONFIG_VTAB_IN_VIEW 1018 /* int int* */ -#define SQLITE_DBCONFIG_MAX 1018 /* Largest DBCONFIG */ +#define SQLITE_DBCONFIG_ENABLE_UNSAFE_DDL 1017 /* int int* */ +#define SQLITE_DBCONFIG_MAX 1017 /* Largest DBCONFIG */ /* ** CAPI3REF: Enable Or Disable Extended Result Codes diff --git a/src/sqliteInt.h b/src/sqliteInt.h index e8eafe2b6b..3b807532fd 100644 --- a/src/sqliteInt.h +++ b/src/sqliteInt.h @@ -1581,10 +1581,10 @@ struct sqlite3 { #define SQLITE_CkptFullFSync 0x00000010 /* Use full fsync for checkpoint */ #define SQLITE_CacheSpill 0x00000020 /* OK to spill pager cache */ #define SQLITE_ShortColNames 0x00000040 /* Show short columns names */ -#define SQLITE_UnsafeInView 0x00000080 /* Allow functions with side-effect - ** in triggers and views */ -#define SQLITE_VtabInView 0x00000100 /* Allow views and triggers to access - ** virtual tables */ +#define SQLITE_UnsafeDDL 0x00000080 /* Allow unsafe functions and vtabs + ** in the schema definition */ +#define SQLITE_NullCallback 0x00000100 /* Invoke the callback once if the */ + /* result set is empty */ #define SQLITE_IgnoreChecks 0x00000200 /* Do not enforce check constraints */ #define SQLITE_ReadUncommit 0x00000400 /* READ UNCOMMITTED in shared-cache */ #define SQLITE_NoCkptOnClose 0x00000800 /* No checkpoint on close()/DETACH */ @@ -1611,8 +1611,6 @@ struct sqlite3 { #define SQLITE_CountRows HI(0x00001) /* Count rows changed by INSERT, */ /* DELETE, or UPDATE and return */ /* the count using a callback. */ -#define SQLITE_NullCallback HI(0000002) /* Invoke the callback once if the */ - /* result set is empty */ /* Flags used only if debugging */ #ifdef SQLITE_DEBUG