From: drh <drh@noemail.net>
Date: Thu, 19 Dec 2019 03:14:54 +0000 (+0000)
Subject: More restrictions on changes to shadow tables when in defensive mode.
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fheads%2Fbranch-3.30;p=thirdparty%2Fsqlite.git

More restrictions on changes to shadow tables when in defensive mode.

FossilOrigin-Name: 4146c629c6136e2fbbd63083037bbd91956e58d374cf41b2fdd6ab8de342af9a
---

diff --git a/manifest b/manifest
index 6061c085f7..cb41648c64 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Backport\ssupport\sfor\sthe\ssqlite3_hard_heap_limit64()\sinterface\sand\sthe\nhard_heap_limit\spragma\sto\sthe\s3.30\sbranch.
-D 2019-11-14T23:08:00.676
+C More\srestrictions\son\schanges\sto\sshadow\stables\swhen\sin\sdefensive\smode.
+D 2019-12-19T03:14:54.393
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -459,7 +459,7 @@ F spec.template 86a4a43b99ebb3e75e6b9a735d5fd293a24e90ca
 F sqlite.pc.in 42b7bf0d02e08b9e77734a47798d1a55a9e0716b
 F sqlite3.1 fc7ad8990fc8409983309bb80de8c811a7506786
 F sqlite3.pc.in 48fed132e7cb71ab676105d2a4dc77127d8c1f3a
-F src/alter.c 5773b28684a001dcab45adcefa3cbf5e846335c0c8fee0da8a3770cb0123bba8
+F src/alter.c ca75938a5e4206d76cec2ad54ca40c5d79b6abeb9628c0b9a00635b5397dfdbd
 F src/analyze.c a3f4ea45cdb4e9df78d4ea7beb87ec8a7a46f494173b641cd28512a40a97bff2
 F src/attach.c 3ca19504849c2d9be10fc5899d6811f9d6e848665d1a41ffb53df0cd6e7c13ed
 F src/auth.c a3d5bfdba83d25abed1013a8c7a5f204e2e29b0c25242a56bc02bb0c07bf1e06
@@ -469,14 +469,14 @@ F src/btmutex.c 8acc2f464ee76324bf13310df5692a262b801808984c1b79defb2503bbafadb6
 F src/btree.c fdc4389b271bca30138db27dc2dfb9f52c2a7baaa44845aaf31a3c54663d837f
 F src/btree.h c11446f07ec0e9dc85af8041cb0855c52f5359c8b2a43e47e02a685282504d89
 F src/btreeInt.h 6111c15868b90669f79081039d19e7ea8674013f907710baa3c814dc3f8bfd3f
-F src/build.c 4814d55abb5553ac82763f6df9e185503d913f912cc0abea00965bb02912cc2d
+F src/build.c 6ec6e0765a3ed7fcea3b5a8857886dfb8512851d03ef742d8c66d0d366a4d7a2
 F src/callback.c 25dda5e1c2334a367b94a64077b1d06b2553369f616261ca6783c48bcb6bda73
 F src/complete.c a3634ab1e687055cd002e11b8f43eb75c17da23e
 F src/ctime.c 1b0724e66f95f33b160b1af85caaf9cceb325d22abf39bd24df4f54a73982251
 F src/date.c e1d8ac7102f3f283e63e13867acb0efa33861cf34f0faf4cdbaf9fa7a1eb7041
 F src/dbpage.c 135eb3b5e74f9ef74bde5cec2571192c90c86984fa534c88bf4a055076fa19b7
 F src/dbstat.c c12833de69cb655751487d2c5a59607e36be1c58ba1f4bd536609909ad47b319
-F src/delete.c d08c9e01a2664afd12edcfa3a9c6578517e8ff8735f35509582693adbe0edeaf
+F src/delete.c e12b572e82eb8127627f09acd5ff2b5f180d983922e2782f7c09ad455e7a547e
 F src/expr.c 18974550063a6a1c8eef69e63d2ad88ceb4395ef139a60cc0d0a28632f41d553
 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
 F src/fkey.c 6b79f4c2447691aa9ac86e2a6a774b65f3b3dd053d4220a4893051a0de20f82e
@@ -530,7 +530,7 @@ F src/shell.c.in d70bcf630c4073eaa994fa74be98886c781918e794cb8b562be8df10f018e27
 F src/sqlite.h.in d568986ef8d8c89e8cd89e234899f25a52068e0daa919dcf3565f9dcef92b3cd
 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
 F src/sqlite3ext.h 72af51aa4e912e14cd495fb6e7fac65f0940db80ed950d90911aff292cc47ce2
-F src/sqliteInt.h b8cabe8fcef93b7251422db41903c04abb4052df015eacb886dabd496fc3e0e8
+F src/sqliteInt.h 28224ae63baff3952acc55f88b03263516e0b0062bce58bce1814e996143943b
 F src/sqliteLimit.h 1513bfb7b20378aa0041e7022d04acb73525de35b80b252f1b83fedb4de6a76b
 F src/status.c 46e7aec11f79dad50965a5ca5fa9de009f7d6bde08be2156f1538a0a296d4d0e
 F src/table.c b46ad567748f24a326d9de40e5b9659f96ffff34
@@ -633,7 +633,7 @@ F test/altercol.test 54374d2ba18af25bb24e23acf18a60270d4ec120b7ec0558078b59d5aa1
 F test/alterlegacy.test 82022721ce0de29cedc9a7af63bc9fcc078b0ee000f8283b4b6ea9c3eab2f44b
 F test/altermalloc.test 167a47de41b5c638f5f5c6efb59784002b196fff70f98d9b4ed3cd74a3fb80c9
 F test/altermalloc2.test fa7b1c1139ea39b8dec407cf1feb032ca8e0076bd429574969b619175ad0174b
-F test/altertab.test b2004ac589207fed7e19877bc3f1ad65142be482f269c176ee407e3b4a65f1a0
+F test/altertab.test a85f1462f2f8c3e9de8dfd3a7aa44eed3871927c311df80ecc4c284c0833916f
 F test/altertab2.test 8883693952f6d7fb5f754dbf1d694ed780aa883027bef04cb1fb99a3b88c9272
 F test/altertab3.test c755ef31f8a61911331b46d71e43f6f3ef94af05c56314b168e47520355fa18e
 F test/amatch1.test b5ae7065f042b7f4c1c922933f4700add50cdb9f
@@ -1846,8 +1846,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 18db032d058f1436ce3dea84081f4ee5a0f2259ad97301d43c426bc7f3df1b0b
-Q +6399c47ea89c5766274bd6abdc9b6a85fe5b7f6c1078972c2f58e624bae59b7c
-R 0540f61436f821c83da2a74759ecb87d
+P ba27012d43a84e22a8329adfe8284e4299432a373e6cb0c6e9e1e20a1b543436
+Q +bae76a5c40703871e5ce4cd23d6fae5a3836606f524a63b01ac828c7a602c5e9
+R aa171709c84f1eb01e80c5bba6358e4d
 U drh
-Z 26c9aedefe3af9bc6beda85fa9ab28af
+Z c816fc63e9e58393afc39bfcf91590a5
diff --git a/manifest.uuid b/manifest.uuid
index a5df1a1d51..b4bea9fed0 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-ba27012d43a84e22a8329adfe8284e4299432a373e6cb0c6e9e1e20a1b543436
\ No newline at end of file
+4146c629c6136e2fbbd63083037bbd91956e58d374cf41b2fdd6ab8de342af9a
\ No newline at end of file
diff --git a/src/alter.c b/src/alter.c
index 9d02d3835a..b102165870 100644
--- a/src/alter.c
+++ b/src/alter.c
@@ -31,9 +31,8 @@
 static int isAlterableTable(Parse *pParse, Table *pTab){
   if( 0==sqlite3StrNICmp(pTab->zName, "sqlite_", 7) 
 #ifndef SQLITE_OMIT_VIRTUALTABLE
-   || ( (pTab->tabFlags & TF_Shadow) 
-     && (pParse->db->flags & SQLITE_Defensive)
-     && pParse->db->nVdbeExec==0
+   || ( (pTab->tabFlags & TF_Shadow)!=0
+        && sqlite3ReadOnlyShadowTables(pParse->db)
    )
 #endif
   ){
diff --git a/src/build.c b/src/build.c
index a3d1abf042..301cd49cb7 100644
--- a/src/build.c
+++ b/src/build.c
@@ -856,13 +856,14 @@ int sqlite3CheckObjectName(
       }
     }
   }else{
-    if( pParse->nested==0 
-     && 0==sqlite3StrNICmp(zName, "sqlite_", 7)
+    if( (pParse->nested==0 && 0==sqlite3StrNICmp(zName, "sqlite_", 7))
+     || (sqlite3ReadOnlyShadowTables(db) && sqlite3ShadowTableName(db, zName))
     ){
       sqlite3ErrorMsg(pParse, "object name reserved for internal use: %s",
                       zName);
       return SQLITE_ERROR;
     }
+
   }
   return SQLITE_OK;
 }
@@ -2002,7 +2003,7 @@ static void convertToWithoutRowidTable(Parse *pParse, Table *pTab){
 ** zName is temporarily modified while this routine is running, but is
 ** restored to its original value prior to this routine returning.
 */
-static int isShadowTableName(sqlite3 *db, char *zName){
+int sqlite3ShadowTableName(sqlite3 *db, const char *zName){
   char *zTail;                  /* Pointer to the last "_" in zName */
   Table *pTab;                  /* Table that zName is a shadow of */
   Module *pMod;                 /* Module for the virtual table */
@@ -2020,8 +2021,6 @@ static int isShadowTableName(sqlite3 *db, char *zName){
   if( pMod->pModule->xShadowName==0 ) return 0;
   return pMod->pModule->xShadowName(zTail+1);
 }
-#else
-# define isShadowTableName(x,y) 0
 #endif /* ifndef SQLITE_OMIT_VIRTUALTABLE */
 
 /*
@@ -2063,7 +2062,7 @@ void sqlite3EndTable(
   p = pParse->pNewTable;
   if( p==0 ) return;
 
-  if( pSelect==0 && isShadowTableName(db, p->zName) ){
+  if( pSelect==0 && sqlite3ShadowTableName(db, p->zName) ){
     p->tabFlags |= TF_Shadow;
   }
 
@@ -2746,6 +2745,37 @@ void sqlite3CodeDropTable(Parse *pParse, Table *pTab, int iDb, int isView){
   sqliteViewResetAll(db, iDb);
 }
 
+/*
+** Return TRUE if shadow tables should be read-only in the current
+** context.
+*/
+int sqlite3ReadOnlyShadowTables(sqlite3 *db){
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  if( (db->flags & SQLITE_Defensive)!=0
+   && db->pVtabCtx==0
+   && db->nVdbeExec==0
+  ){
+    return 1;
+  }
+#endif
+  return 0;
+}
+
+/*
+** Return true if it is not allowed to drop the given table
+*/
+static int tableMayNotBeDropped(sqlite3 *db, Table *pTab){
+  if( sqlite3StrNICmp(pTab->zName, "sqlite_", 7)==0 ){
+    if( sqlite3StrNICmp(pTab->zName+7, "stat", 4)==0 ) return 0;
+    if( sqlite3StrNICmp(pTab->zName+7, "parameters", 10)==0 ) return 0;
+    return 1;
+  }
+  if( (pTab->tabFlags & TF_Shadow)!=0 && sqlite3ReadOnlyShadowTables(db) ){
+    return 1;
+  }
+  return 0;
+}
+
 /*
 ** This routine is called to do the work of a DROP TABLE statement.
 ** pName is the name of the table to be dropped.
@@ -2815,9 +2845,7 @@ void sqlite3DropTable(Parse *pParse, SrcList *pName, int isView, int noErr){
     }
   }
 #endif
-  if( sqlite3StrNICmp(pTab->zName, "sqlite_", 7)==0 
-    && sqlite3StrNICmp(pTab->zName+7, "stat", 4)!=0
-    && sqlite3StrNICmp(pTab->zName+7, "parameters", 10)!=0 ){
+  if( tableMayNotBeDropped(db, pTab) ){
     sqlite3ErrorMsg(pParse, "table %s may not be dropped", pTab->zName);
     goto exit_drop_table;
   }
diff --git a/src/delete.c b/src/delete.c
index e3a0abc2c0..e03cc22ebb 100644
--- a/src/delete.c
+++ b/src/delete.c
@@ -70,11 +70,7 @@ static int tabIsReadOnly(Parse *pParse, Table *pTab){
     return sqlite3WritableSchema(db)==0 && pParse->nested==0;
   }
   assert( pTab->tabFlags & TF_Shadow );
-  return (db->flags & SQLITE_Defensive)!=0 
-#ifndef SQLITE_OMIT_VIRTUALTABLE
-          && db->pVtabCtx==0
-#endif
-          && db->nVdbeExec==0;
+  return sqlite3ReadOnlyShadowTables(db);
 }
 
 /*
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index 21d5ae891d..88fad2cd26 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -4485,6 +4485,12 @@ void sqlite3AutoLoadExtensions(sqlite3*);
    );
 #  define sqlite3VtabInSync(db) ((db)->nVTrans>0 && (db)->aVTrans==0)
 #endif
+int sqlite3ReadOnlyShadowTables(sqlite3 *db);
+#ifndef SQLITE_OMIT_VIRTUALTABLE
+  int sqlite3ShadowTableName(sqlite3 *db, const char *zName);
+#else
+# define sqlite3ShadowTableName(A,B) 0
+#endif
 int sqlite3VtabEponymousTableInit(Parse*,Module*);
 void sqlite3VtabEponymousTableClear(sqlite3*,Module*);
 void sqlite3VtabMakeWritable(Parse*,Table*);
diff --git a/test/altertab.test b/test/altertab.test
index 2eed636e0d..81b201cdf5 100644
--- a/test/altertab.test
+++ b/test/altertab.test
@@ -546,11 +546,32 @@ ifcapable fts3 {
     INSERT INTO y1_segments VALUES(1, X'1234567890');
   } {1 {table y1_segments may not be modified}}
 
-  do_catchsql_test 16.2 {
+  do_catchsql_test 16.20 {
+    DROP TABLE y1_segments;
+  } {1 {table y1_segments may not be dropped}}
+
+  do_catchsql_test 16.21 {
+    DROP TABLE y1_segments;
+  } {1 {table y1_segments may not be dropped}}
+
+  sqlite3_db_config db DEFENSIVE 0
+  do_catchsql_test 16.22 {
     ALTER TABLE y1_segments RENAME TO abc;
-  } {1 {table y1_segments may not be altered}}
+  } {0 {}}
+  sqlite3_db_config db DEFENSIVE 1
+  do_catchsql_test 16.23 {
+    CREATE TABLE y1_segments AS SELECT * FROM abc;
+  } {1 {object name reserved for internal use: y1_segments}}
+  do_catchsql_test 16.24 {
+    CREATE VIEW y1_segments AS SELECT * FROM abc;
+  } {1 {object name reserved for internal use: y1_segments}}
+  sqlite3_db_config db DEFENSIVE 0
+  do_catchsql_test 16.25 {
+    ALTER TABLE abc RENAME TO y1_segments;
+  } {0 {}}
+  sqlite3_db_config db DEFENSIVE 1
 
-  do_execsql_test 16.3 {
+  do_execsql_test 16.30 {
     ALTER TABLE y1 RENAME TO z1;
   }