From: drh <drh@noemail.net>
Date: Sat, 3 Nov 2018 16:09:59 +0000 (+0000)
Subject: Add the SQLITE_DBCONFIG_DEFENSIVE flag.
X-Git-Tag: version-3.26.0~55^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a296cda016dfcf81674b04c041637fa0a4f426ac;p=thirdparty%2Fsqlite.git

Add the SQLITE_DBCONFIG_DEFENSIVE flag.

FossilOrigin-Name: af3f29d49359af2291b1d9e06e0db76fd000fbd24b4ac84d2668a0d1322efd83
---

diff --git a/manifest b/manifest
index 1fcd4da3a6..ac7bc2983c 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sassert()\sin\sthe\squery\splanner\sthat\scan\sarise\swhen\sdoing\srow-value\noperations\son\sa\sPRIMARY\sKEY\sthat\scontains\sduplicate\scolumns.\nTicket\s[1a84668dcfdebaf12415d].
-D 2018-11-03T13:11:24.271
+C Add\sthe\sSQLITE_DBCONFIG_DEFENSIVE\sflag.
+D 2018-11-03T16:09:59.962
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F Makefile.in edbb6e20bb1decf65f6c64c9e61004a69bdf8afb39cdce5337c916b03dfcd1e3
@@ -445,17 +445,17 @@ F src/auth.c 0fac71038875693a937e506bceb492c5f136dd7b1249fbd4ae70b4e8da14f9df
 F src/backup.c 78d3cecfbe28230a3a9a1793e2ead609f469be43e8f486ca996006be551857ab
 F src/bitvec.c 17ea48eff8ba979f1f5b04cc484c7bb2be632f33
 F src/btmutex.c 8acc2f464ee76324bf13310df5692a262b801808984c1b79defb2503bbafadb6
-F src/btree.c 75ec3352656834ed096af95410610e7e7f16e1cdb65b0876bad49387b01d21b3
+F src/btree.c 41ab526796e7f3cc6e4c6d096c90ad35f0d3d1fe65964dcc0c4fddbbc7ad349d
 F src/btree.h febb2e817be499570b7a2e32a9bbb4b607a9234f6b84bb9ae84916d4806e96f2
 F src/btreeInt.h 620ab4c7235f43572cf3ac2ac8723cbdf68073be4d29da24897c7b77dda5fd96
-F src/build.c 792a3246e8d080f631cb697e28f2da2ef21fa9f83a5476548f1ee4175d11cfaf
+F src/build.c f5d49f97ab567b99fcc7ef8512cf0e61a662ba442a5d1fa8273edbc7575b92d4
 F src/callback.c 789bd33d188146f66c0dd8306472a72d1c05f71924b24a91caf6bd45cf9aba73
 F src/complete.c a3634ab1e687055cd002e11b8f43eb75c17da23e
 F src/ctime.c 109e58d00f62e8e71ee1eb5944ac18b90171c928ab2e082e058056e1137cc20b
 F src/date.c ebe1dc7c8a347117bb02570f1a931c62dd78f4a2b1b516f4837d45b7d6426957
-F src/dbpage.c 4aa7f26198934dbd002e69418220eae3dbc71b010bbac32bd78faf86b52ce6c3
+F src/dbpage.c ada9bc6964bb68e4c128df70cb0938faaa214e1a0e1d730ea6b13c5e1fde9a45
 F src/dbstat.c e042b0e7833fdacf2d5ea92c6b536962fea6aeed8b7287ca87ddfa3412bd9564
-F src/delete.c 107e28d3ef8bd72fd11953374ca9107cd74e8b09c3ded076a6048742d26ce7d2
+F src/delete.c 2ddd40f4b04647e85e4e8665e552b96971cd0026f7e6431ac9c1ce249d1d9161
 F src/expr.c 9aacc0b72348ba90010b672dcbbbe2fa56e1182043bc917a3a147b2bc57a5497
 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
 F src/fkey.c 972a4ba14296bef2303a0abbad1e3d82bc3c61f9e6ce4e8e9528bdee68748812
@@ -468,7 +468,7 @@ F src/in-operator.md 10cd8f4bcd225a32518407c2fb2484089112fd71
 F src/insert.c 6b81aae27b196925d8ff78824f4bbd435d6a40cd38dc324685e21735bb402109
 F src/legacy.c 134ab3e3fae00a0f67a5187981d6935b24b337bcf0f4b3e5c9fa5763da95bf4e
 F src/loadext.c 448eab53ecdb566a1259ee2d45ebff9c0bc4a2cf393774488775c33e4fbe89bf
-F src/main.c 6275ece0699a957c4709a7ebe29476f132adbe459d18a6b497e234e4669abf91
+F src/main.c 03204aa22720654f0bc128b6d25626a89f9faca17e10ffdf738036d5453b13b3
 F src/malloc.c 07295435093ce354c6d9063ac05a2eeae28bd251d2e63c48b3d67c12c76f7e18
 F src/mem0.c 6a55ebe57c46ca1a7d98da93aaa07f99f1059645
 F src/mem1.c c12a42539b1ba105e3707d0e628ad70e611040d8f5e38cf942cee30c867083de
@@ -505,11 +505,11 @@ F src/random.c 80f5d666f23feb3e6665a6ce04c7197212a88384
 F src/resolve.c bc8c79e56439b111e7d9415e44940951f7087e9466c3a9d664558ef0faf31073
 F src/rowset.c d977b011993aaea002cab3e0bb2ce50cf346000dff94e944d547b989f4b1fe93
 F src/select.c 61e867a906f140b73baf4ce7a201ad6dcba30820969f5618ee40e9a0d32c6f5f
-F src/shell.c.in f5a89e43e1b3255fcc274f5185595f547199757e0c59e3ea938af9676e9557d4
-F src/sqlite.h.in 4f95d6f484ce247fa7cbb7382641d40919cfe9c3bf8091bc462638c7bac4efea
+F src/shell.c.in 060ccc327959bdc85c895015eb382017fd0cd000ebd47b7e8dda42f8aab0b66f
+F src/sqlite.h.in 1383b2fbce61bd3634caeafb2513205326a297e988ea749d4f6dec7da7a281c9
 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
 F src/sqlite3ext.h 960f1b86c3610fa23cb6a267572a97dcf286e77aa0dd3b9b23292ffaa1ea8683
-F src/sqliteInt.h 66ec6304f4eeae77483e13399bb389c60b37764250ac415cd0bac068a8336866
+F src/sqliteInt.h 16a6fe6475b4452dc7250afb40303f7cc3065024bab7ef412a9284247aac281c
 F src/sqliteLimit.h 1513bfb7b20378aa0041e7022d04acb73525de35b80b252f1b83fedb4de6a76b
 F src/status.c 46e7aec11f79dad50965a5ca5fa9de009f7d6bde08be2156f1538a0a296d4d0e
 F src/table.c b46ad567748f24a326d9de40e5b9659f96ffff34
@@ -1775,7 +1775,10 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 1fa74930ab56171e2e840d4a5b259abafb0ad1e0320fc3030066570a6dd10002
-R 707185102d60512231af7b837ac929dd
+P dcb8c73594ea6b12bad98dc883a585d3e6b925c2ead267dc40332b3d266db5e8
+R 70fb126ec78ede93e02159f3b0e08576
+T *branch * dbconfig-defensive
+T *sym-dbconfig-defensive *
+T -sym-trunk *
 U drh
-Z 05c1146263aa5b30b6bada73e8bbc541
+Z 063598bbdddb8e4a121c6e32c0dbaf4a
diff --git a/manifest.uuid b/manifest.uuid
index 2a4dbbba74..029d34fe94 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-dcb8c73594ea6b12bad98dc883a585d3e6b925c2ead267dc40332b3d266db5e8
\ No newline at end of file
+af3f29d49359af2291b1d9e06e0db76fd000fbd24b4ac84d2668a0d1322efd83
\ No newline at end of file
diff --git a/src/btree.c b/src/btree.c
index b4f3d73f68..9b2e43a9f2 100644
--- a/src/btree.c
+++ b/src/btree.c
@@ -3112,7 +3112,9 @@ static int lockBtree(BtShared *pBt){
                                    pageSize-usableSize);
       return rc;
     }
-    if( (pBt->db->flags & SQLITE_WriteSchema)==0 && nPage>nPageFile ){
+    if( (pBt->db->flags & (SQLITE_WriteSchema|SQLITE_Defensive))==0
+     && nPage>nPageFile
+    ){
       rc = SQLITE_CORRUPT_BKPT;
       goto page1_init_failed;
     }
diff --git a/src/build.c b/src/build.c
index 2b73f45649..da72509da7 100644
--- a/src/build.c
+++ b/src/build.c
@@ -806,7 +806,7 @@ int sqlite3TwoPartName(
 */
 int sqlite3CheckObjectName(Parse *pParse, const char *zName){
   if( !pParse->db->init.busy && pParse->nested==0 
-          && (pParse->db->flags & SQLITE_WriteSchema)==0
+          && (pParse->db->flags & (SQLITE_WriteSchema|SQLITE_Defensive))==0
           && 0==sqlite3StrNICmp(zName, "sqlite_", 7) ){
     sqlite3ErrorMsg(pParse, "object name reserved for internal use: %s", zName);
     return SQLITE_ERROR;
diff --git a/src/dbpage.c b/src/dbpage.c
index 5b19abd356..a73ea01bdb 100644
--- a/src/dbpage.c
+++ b/src/dbpage.c
@@ -313,6 +313,10 @@ static int dbpageUpdate(
   Pager *pPager;
   int szPage;
 
+  if( pTab->db->flags & SQLITE_Defensive ){
+    zErr = "read-only";
+    goto update_fail;
+  }
   if( argc==1 ){
     zErr = "cannot delete";
     goto update_fail;
diff --git a/src/delete.c b/src/delete.c
index 746f6725b9..64e7639c14 100644
--- a/src/delete.c
+++ b/src/delete.c
@@ -63,7 +63,7 @@ int sqlite3IsReadOnly(Parse *pParse, Table *pTab, int viewOk){
   if( ( IsVirtual(pTab) 
      && sqlite3GetVTable(pParse->db, pTab)->pMod->pModule->xUpdate==0 )
    || ( (pTab->tabFlags & TF_Readonly)!=0
-     && (pParse->db->flags & SQLITE_WriteSchema)==0
+     && (pParse->db->flags & (SQLITE_WriteSchema|SQLITE_Defensive))==0
      && pParse->nested==0 )
   ){
     sqlite3ErrorMsg(pParse, "table %s may not be modified", pTab->zName);
diff --git a/src/main.c b/src/main.c
index 8935a19d75..01d8bca861 100644
--- a/src/main.c
+++ b/src/main.c
@@ -835,6 +835,7 @@ int sqlite3_db_config(sqlite3 *db, int op, ...){
         { SQLITE_DBCONFIG_ENABLE_QPSG,           SQLITE_EnableQPSG     },
         { SQLITE_DBCONFIG_TRIGGER_EQP,           SQLITE_TriggerEQP     },
         { SQLITE_DBCONFIG_RESET_DATABASE,        SQLITE_ResetDatabase  },
+        { SQLITE_DBCONFIG_DEFENSIVE,             SQLITE_Defensive      },
       };
       unsigned int i;
       rc = SQLITE_ERROR; /* IMP: R-42790-23372 */
diff --git a/src/shell.c.in b/src/shell.c.in
index 4fcd93c01d..177a948cbb 100644
--- a/src/shell.c.in
+++ b/src/shell.c.in
@@ -5956,6 +5956,7 @@ static int do_meta_command(char *zLine, ShellState *p){
         { "enable_qpsg",      SQLITE_DBCONFIG_ENABLE_QPSG            },
         { "trigger_eqp",      SQLITE_DBCONFIG_TRIGGER_EQP            },
         { "reset_database",   SQLITE_DBCONFIG_RESET_DATABASE         },
+        { "defensive",        SQLITE_DBCONFIG_DEFENSIVE              },
     };
     int ii, v;
     open_db(p, 0);
diff --git a/src/sqlite.h.in b/src/sqlite.h.in
index 9ead2b7aa6..18593a6440 100644
--- a/src/sqlite.h.in
+++ b/src/sqlite.h.in
@@ -2158,6 +2158,29 @@ struct sqlite3_mem_methods {
 ** Because resetting a database is destructive and irreversible, the
 ** process requires the use of this obscure API and multiple steps to help
 ** ensure that it does not happen by accident.
+**
+** <dt>SQLITE_DBCONFIG_DEFENSIVE</dt>
+** <dd>The SQLITE_DBCONFIG_DEFENSIVE option actives or deactivates the
+** "defensive" flag for a database connection.  When the defensive
+** flag is enabled, some obscure features of SQLite are disabled in order
+** to reduce the attack surface. Applications that run untrusted SQL
+** can activate this flag to reduce the risk of zero-day exploits.
+** <p>
+** Features disabled by the defensive flag include:
+** <ul>
+** <li>The [PRAGMA writable_schema=ON] statement.
+** <li>Writes to the [sqlite_dbpage] virtual table.
+** </ul>
+** New restrictions may be added in future releases.
+** <p>
+** To be clear: It should never be possible for hostile SQL to cause
+** arbitrary memory reads, memory leaks, buffer overflows, assertion
+** faults, arbitrary code execution, crashes, or other mischief, regardless
+** of the value of the defensive flag.  Any occurrance of these problems
+** is considered a serious bug and will be fixed promptly.  It is not
+** necessary to enable the defensive flag in order to make SQLite secure
+** against attack. The defensive flag merely provides an additional layer
+** of defense against unknown vulnerabilities.
 ** </dd>
 ** </dl>
 */
@@ -2171,7 +2194,8 @@ struct sqlite3_mem_methods {
 #define SQLITE_DBCONFIG_ENABLE_QPSG           1007 /* int int* */
 #define SQLITE_DBCONFIG_TRIGGER_EQP           1008 /* int int* */
 #define SQLITE_DBCONFIG_RESET_DATABASE        1009 /* int int* */
-#define SQLITE_DBCONFIG_MAX                   1009 /* Largest DBCONFIG */
+#define SQLITE_DBCONFIG_DEFENSIVE             1010 /* int int* */
+#define SQLITE_DBCONFIG_MAX                   1010 /* Largest DBCONFIG */
 
 /*
 ** CAPI3REF: Enable Or Disable Extended Result Codes
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index 20db52de3f..0482db21d4 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -1540,6 +1540,7 @@ struct sqlite3 {
 #define SQLITE_ResetDatabase  0x02000000  /* Reset the database */
 #define SQLITE_LegacyAlter    0x04000000  /* Legacy ALTER TABLE behaviour */
 #define SQLITE_NoSchemaError  0x08000000  /* Do not report schema parse errors*/
+#define SQLITE_Defensive      0x10000000  /* Input SQL is likely hostile */
 
 /* Flags used only if debugging */
 #define HI(X)  ((u64)(X)<<32)