From: drh <drh@noemail.net>
Date: Tue, 31 Dec 2019 22:52:10 +0000 (+0000)
Subject: Experimental branch with new sqlite3_db_config() options that could possible
X-Git-Tag: version-3.31.0~45^2~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b945bcdaf178eabb320aa4609a31ec74233e3115;p=thirdparty%2Fsqlite.git

Experimental branch with new sqlite3_db_config() options that could possible
enhance security for applications reading potentially compromised database
files.

FossilOrigin-Name: 96a2db2612f2e47bbec0e374a242820c88f03c42ccbf8467abccaef41469bae2
---

diff --git a/manifest b/manifest
index c162495ecf..d00d6abea2 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Also\sset\sthe\sSQLITE_DIRECTONLY\sflag\son\sthe\sload_extension()\sfunction.
-D 2019-12-31T18:39:23.702
+C Experimental\sbranch\swith\snew\ssqlite3_db_config()\soptions\sthat\scould\spossible\nenhance\ssecurity\sfor\sapplications\sreading\spotentially\scompromised\sdatabase\nfiles.
+D 2019-12-31T22:52:10.121
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -492,7 +492,7 @@ F src/in-operator.md 10cd8f4bcd225a32518407c2fb2484089112fd71
 F src/insert.c 97afb0bf06d7fd7b820f6de3e42cf60beb5cd10131828c29b131b2614bbb1f39
 F src/legacy.c d7874bc885906868cd51e6c2156698f2754f02d9eee1bae2d687323c3ca8e5aa
 F src/loadext.c d74f5e7bd51f3c9d283442473eb65aef359664efd6513591c03f01881c4ae2da
-F src/main.c 868ae7db7a54fe859bf2ca8b7a4f24e9fa03a6134abfb7c9801d08411ef5dacb
+F src/main.c b75192ececab87f3342088546a8738b22ffc727865d61902ef93de9dc057669c
 F src/malloc.c 550021fcae36f0ffe9f8563d83e6385f9df307a854d55d7d0abb7241ee8dbcc6
 F src/mem0.c 6a55ebe57c46ca1a7d98da93aaa07f99f1059645
 F src/mem1.c c12a42539b1ba105e3707d0e628ad70e611040d8f5e38cf942cee30c867083de
@@ -526,14 +526,14 @@ F src/pragma.h ec3b31eac9b1df040f1cc8cb3d89bc06605c3b4cb3d76f833de8d6d6c3f77f04
 F src/prepare.c 6049beb71385f017af6fc320d2c75a4e50b75e280c54232442b785fbb83df057
 F src/printf.c 9be6945837c839ba57837b4bc3af349eba630920fa5532aa518816defe42a7d4
 F src/random.c 80f5d666f23feb3e6665a6ce04c7197212a88384
-F src/resolve.c e231da7dd307f99772c40e76096abaf05c6fedcb4f1f045de23a61c194df6da6
+F src/resolve.c 8513df170ff6069828fbfcb7a59d84521b30b2ee19a2f57a391cc59baf381a55
 F src/rowset.c d977b011993aaea002cab3e0bb2ce50cf346000dff94e944d547b989f4b1fe93
 F src/select.c 2a753ec714703c32e4aade5b0115033bbee8a377b215cb0fbe88ab2fa4b3e028
-F src/shell.c.in 4a3a9e1c11847b1904f2b01d087af1c052f660902755abab457cab1756817ded
-F src/sqlite.h.in 51f69c62ba3e980aca1e39badcaf9ad13f008774fe1bb8e7f57e3e456c656670
+F src/shell.c.in 709c85e7f90ac62f8bc45ed11feabcfeb6e9559892c55fcb557a062b8c698d0e
+F src/sqlite.h.in efaecabd038dc30282f243af087c4960e528d0df25a05f90f988435fec5ef779
 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
 F src/sqlite3ext.h 72af51aa4e912e14cd495fb6e7fac65f0940db80ed950d90911aff292cc47ce2
-F src/sqliteInt.h e526421d44d88f17c397647371e460841c961b27ccf69301177b63d18ebbeead
+F src/sqliteInt.h 3e4c8037071dbf74886c25f4ada1499bac7e90352a91ad072372282477dc7296
 F src/sqliteLimit.h 1513bfb7b20378aa0041e7022d04acb73525de35b80b252f1b83fedb4de6a76b
 F src/status.c 46e7aec11f79dad50965a5ca5fa9de009f7d6bde08be2156f1538a0a296d4d0e
 F src/table.c b46ad567748f24a326d9de40e5b9659f96ffff34
@@ -1853,7 +1853,10 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P f3171dc22e4d3a40ca17fe609391d92fc6a997b775bfefa5947aec69c889aa73
-R 25bc6cfca86f50c6bebf64970cf717c5
+P 3bd095a53119c368fe30e539983588b27957203344cf427405b9a64784b8eba7
+R 1519469fee4296191cf9c590f16cccb9
+T *branch * new-security-options
+T *sym-new-security-options *
+T -sym-trunk *
 U drh
-Z 6a954000d634738bb471999423aebba1
+Z 66c42f7199d224391a430f509bbf28ff
diff --git a/manifest.uuid b/manifest.uuid
index 266e4c4a56..34ed42b1fb 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-3bd095a53119c368fe30e539983588b27957203344cf427405b9a64784b8eba7
\ No newline at end of file
+96a2db2612f2e47bbec0e374a242820c88f03c42ccbf8467abccaef41469bae2
\ No newline at end of file
diff --git a/src/main.c b/src/main.c
index 1afeee0bdb..70c5b89d0a 100644
--- a/src/main.c
+++ b/src/main.c
@@ -852,6 +852,8 @@ int sqlite3_db_config(sqlite3 *db, int op, ...){
         { SQLITE_DBCONFIG_DQS_DDL,               SQLITE_DqsDDL         },
         { SQLITE_DBCONFIG_DQS_DML,               SQLITE_DqsDML         },
         { SQLITE_DBCONFIG_LEGACY_FILE_FORMAT,    SQLITE_LegacyFileFmt  },
+        { SQLITE_DBCONFIG_UNSAFE_FUNC_IN_VIEW,   SQLITE_UnsafeInView   },
+        { SQLITE_DBCONFIG_VTAB_IN_VIEW,          SQLITE_VtabInView     },
       };
       unsigned int i;
       rc = SQLITE_ERROR; /* IMP: R-42790-23372 */
@@ -3082,6 +3084,8 @@ static int openDatabase(
                  | SQLITE_EnableTrigger
                  | SQLITE_EnableView
                  | SQLITE_CacheSpill
+                 | SQLITE_UnsafeInView
+                 | SQLITE_VtabInView
 
 /* The SQLITE_DQS compile-time option determines the default settings
 ** for SQLITE_DBCONFIG_DQS_DDL and SQLITE_DBCONFIG_DQS_DML.
diff --git a/src/resolve.c b/src/resolve.c
index a0f9c0f22f..36eef4bb4e 100644
--- a/src/resolve.c
+++ b/src/resolve.c
@@ -861,6 +861,16 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){
           ** constant because they are constant for the duration of one query.
           ** This allows them to be factored out of inner loops. */
           ExprSetProperty(pExpr,EP_ConstFunc);
+        }else{
+          if( ExprHasProperty(pExpr, EP_Indirect)
+           && !IN_RENAME_OBJECT
+           && (pParse->db->flags & SQLITE_UnsafeInView)==0
+          ){
+            /* If SQLITE_DBCONFIG_UNSAFE_IN_VIEW is off, then functions with
+            ** side effects are not allowed inside triggers and views. */
+            sqlite3ErrorMsg(pParse, "%s() prohibited in triggers and views",
+                            pDef->zName);
+          }
         }
         if( (pDef->funcFlags & SQLITE_FUNC_CONSTANT)==0 ){
           /* Date/time functions that use 'now', and other functions like
diff --git a/src/shell.c.in b/src/shell.c.in
index e6b6f1a1b3..1a06bf8477 100644
--- a/src/shell.c.in
+++ b/src/shell.c.in
@@ -7159,21 +7159,23 @@ static int do_meta_command(char *zLine, ShellState *p){
       const char *zName;
       int op;
     } aDbConfig[] = {
+        { "defensive",          SQLITE_DBCONFIG_DEFENSIVE             },
+        { "dqs_ddl",            SQLITE_DBCONFIG_DQS_DDL               },
+        { "dqs_dml",            SQLITE_DBCONFIG_DQS_DML               },
         { "enable_fkey",        SQLITE_DBCONFIG_ENABLE_FKEY           },
+        { "enable_qpsg",        SQLITE_DBCONFIG_ENABLE_QPSG           },
         { "enable_trigger",     SQLITE_DBCONFIG_ENABLE_TRIGGER        },
         { "enable_view",        SQLITE_DBCONFIG_ENABLE_VIEW           },
         { "fts3_tokenizer",     SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER },
+        { "legacy_alter_table", SQLITE_DBCONFIG_LEGACY_ALTER_TABLE    },
+        { "legacy_file_format", SQLITE_DBCONFIG_LEGACY_FILE_FORMAT    },
         { "load_extension",     SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION },
         { "no_ckpt_on_close",   SQLITE_DBCONFIG_NO_CKPT_ON_CLOSE      },
-        { "enable_qpsg",        SQLITE_DBCONFIG_ENABLE_QPSG           },
-        { "trigger_eqp",        SQLITE_DBCONFIG_TRIGGER_EQP           },
         { "reset_database",     SQLITE_DBCONFIG_RESET_DATABASE        },
-        { "defensive",          SQLITE_DBCONFIG_DEFENSIVE             },
+        { "trigger_eqp",        SQLITE_DBCONFIG_TRIGGER_EQP           },
+        { "unsafe_func_in_view",SQLITE_DBCONFIG_UNSAFE_FUNC_IN_VIEW   },
+        { "vtab_in_view",       SQLITE_DBCONFIG_VTAB_IN_VIEW          },
         { "writable_schema",    SQLITE_DBCONFIG_WRITABLE_SCHEMA       },
-        { "legacy_alter_table", SQLITE_DBCONFIG_LEGACY_ALTER_TABLE    },
-        { "dqs_dml",            SQLITE_DBCONFIG_DQS_DML               },
-        { "dqs_ddl",            SQLITE_DBCONFIG_DQS_DDL               },
-        { "legacy_file_format", SQLITE_DBCONFIG_LEGACY_FILE_FORMAT    },
     };
     int ii, v;
     open_db(p, 0);
@@ -7183,7 +7185,7 @@ static int do_meta_command(char *zLine, ShellState *p){
         sqlite3_db_config(p->db, aDbConfig[ii].op, booleanValue(azArg[2]), 0);
       }
       sqlite3_db_config(p->db, aDbConfig[ii].op, -1, &v);
-      utf8_printf(p->out, "%18s %s\n", aDbConfig[ii].zName, v ? "on" : "off");
+      utf8_printf(p->out, "%19s %s\n", aDbConfig[ii].zName, v ? "on" : "off");
       if( nArg>1 ) break;
     }
     if( nArg>1 && ii==ArraySize(aDbConfig) ){
diff --git a/src/sqlite.h.in b/src/sqlite.h.in
index 50976ee163..03e92a4c30 100644
--- a/src/sqlite.h.in
+++ b/src/sqlite.h.in
@@ -2265,6 +2265,33 @@ struct sqlite3_mem_methods {
 ** compile-time option.
 ** </dd>
 **
+** [[SQLITE_DBCONFIG_UNSAFE_FUNC_IN_VIEW]]
+** <dt>SQLITE_DBCONFIG_UNSAFE_FUNC_IN_VIEW</td>
+** <dd>The SQLITE_DBCONFIG_UNSAFE_FUNC_IN_VIEW option activates or deactivates
+** the ability to use SQL functions that have side-effects inside of
+** triggers and views.  For legacy compatibility, this setting defaults
+** to "on".  Applications that are operating on untrusted database files
+** are advised to change this setting to "off".  When this setting is on,
+** only functions that have no side effects are usable inside of views.
+** This prevents an attacker from modifying the schema of a database so
+** that views and/or triggers with undesirable side-effects are run when
+** the application innocently tries to access what it thinks is an ordinary
+** table.
+** </dd>
+**
+** [[SQLITE_DBCONFIG_VTAB_IN_VIEW]]
+** <dt>SQLITE_DBCONFIG_VTAB_IN_VIEW</td>
+** <dd>The SQLITE_DBCONFIG_VTAB_IN_VIEW option activates or deactivates
+** the ability to use [virtual tables] inside of triggers and views.
+** For legacy compatibility, this setting defaults
+** to "on".  Applications that are operating on untrusted database files
+** are advised to change this setting to "off".  Turning this setting off
+** prevents an attacker from modifying the schema of a database so
+** that views and/or triggers with undesirable side-effects are run when
+** the application innocently tries to access what it thinks is an ordinary
+** table.
+** </dd>
+**
 ** [[SQLITE_DBCONFIG_LEGACY_FILE_FORMAT]]
 ** <dt>SQLITE_DBCONFIG_LEGACY_FILE_FORMAT</td>
 ** <dd>The SQLITE_DBCONFIG_LEGACY_FILE_FORMAT option activates or deactivates
@@ -2305,7 +2332,9 @@ struct sqlite3_mem_methods {
 #define SQLITE_DBCONFIG_DQS_DDL               1014 /* int int* */
 #define SQLITE_DBCONFIG_ENABLE_VIEW           1015 /* int int* */
 #define SQLITE_DBCONFIG_LEGACY_FILE_FORMAT    1016 /* int int* */
-#define SQLITE_DBCONFIG_MAX                   1016 /* Largest DBCONFIG */
+#define SQLITE_DBCONFIG_UNSAFE_FUNC_IN_VIEW   1017 /* int int* */
+#define SQLITE_DBCONFIG_VTAB_IN_VIEW          1018 /* int int* */
+#define SQLITE_DBCONFIG_MAX                   1018 /* Largest DBCONFIG */
 
 /*
 ** CAPI3REF: Enable Or Disable Extended Result Codes
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index 0dcb103532..d0452f548c 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -1142,6 +1142,7 @@ typedef struct With With;
 ** A bit in a Bitmask
 */
 #define MASKBIT(n)   (((Bitmask)1)<<(n))
+#define MASKBIT64(n) (((u64)1)<<(n))
 #define MASKBIT32(n) (((unsigned int)1)<<(n))
 #define ALLBITS      ((Bitmask)-1)
 
@@ -1526,6 +1527,13 @@ struct sqlite3 {
 #define SCHEMA_ENC(db) ((db)->aDb[0].pSchema->enc)
 #define ENC(db)        ((db)->enc)
 
+/*
+** A u64 constant where the lower 32 bits are all zeros.  Only the
+** upper 32 bits are included in the argument.  Necessary because some
+** C-compilers still do not accept LL integer literals.
+*/
+#define HI(X)  ((u64)(X)<<32)
+
 /*
 ** Possible values for the sqlite3.flags.
 **
@@ -1541,11 +1549,10 @@ struct sqlite3 {
 #define SQLITE_CkptFullFSync  0x00000010  /* Use full fsync for checkpoint */
 #define SQLITE_CacheSpill     0x00000020  /* OK to spill pager cache */
 #define SQLITE_ShortColNames  0x00000040  /* Show short columns names */
-#define SQLITE_CountRows      0x00000080  /* Count rows changed by INSERT, */
-                                          /*   DELETE, or UPDATE and return */
-                                          /*   the count using a callback. */
-#define SQLITE_NullCallback   0x00000100  /* Invoke the callback once if the */
-                                          /*   result set is empty */
+#define SQLITE_UnsafeInView   0x00000080  /* Allow functions with side-effect
+                                          ** in triggers and views */
+#define SQLITE_VtabInView     0x00000100  /* Allow views and triggers to access
+                                          ** virtual tables */
 #define SQLITE_IgnoreChecks   0x00000200  /* Do not enforce check constraints */
 #define SQLITE_ReadUncommit   0x00000400  /* READ UNCOMMITTED in shared-cache */
 #define SQLITE_NoCkptOnClose  0x00000800  /* No checkpoint on close()/DETACH */
@@ -1569,9 +1576,13 @@ struct sqlite3 {
 #define SQLITE_DqsDDL         0x20000000  /* dbl-quoted strings allowed in DDL*/
 #define SQLITE_DqsDML         0x40000000  /* dbl-quoted strings allowed in DML*/
 #define SQLITE_EnableView     0x80000000  /* Enable the use of views */
+#define SQLITE_CountRows      HI(0x00001) /* Count rows changed by INSERT, */
+                                          /*   DELETE, or UPDATE and return */
+                                          /*   the count using a callback. */
+#define SQLITE_NullCallback   HI(0000002) /* Invoke the callback once if the */
+                                          /*   result set is empty */
 
 /* Flags used only if debugging */
-#define HI(X)  ((u64)(X)<<32)
 #ifdef SQLITE_DEBUG
 #define SQLITE_SqlTrace       HI(0x0100000) /* Debug print SQL as it executes */
 #define SQLITE_VdbeListing    HI(0x0200000) /* Debug listings of VDBE progs */