When rolling back a journal that contains a super-journal pointer, only attempt to...

FossilOrigin-Name: 0cdde6755837935e4feaa4367a0b107e363582adc8112a91dc7416f1100ae3aa

diff --git a/manifest b/manifest
index 2da82098b010a2995cb220275e067a3ccfafcb69..461f6ea717891fde009d9cc9e06e662ed235e140 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Avoid\strying\sto\sdelete\sa\sdatabase\sfile\swhile\sit\sis\sstill\sopen\sin\sbackup5.test.
-D 2026-06-24T14:17:52.488
+C When\srolling\sback\sa\sjournal\sthat\scontains\sa\ssuper-journal\spointer,\sonly\sattempt\sto\sunlink\sthe\ssuper-journal\sif\sthe\sfilename\slooks\slike\sone\sthat\sSQLite\smight\shave\sgenerated.\sThis\sis\sto\slimit\sthe\sextent\sto\swhich\sSQLite\scan\sbe\scaused\sto\sdelete\sarbitrary\sfiles\sby\ssupplying\sit\swith\sa\scrafted\shot-journal.\s\sBug\s[bugs:/info/2026-06-24T14:18:00Z\s|\s2026-06-24T14:18:00Z].
+D 2026-06-24T17:14:57.054
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -725,7 +725,7 @@ F src/os_setup.h 8efc64eda6a6c2f221387eefc2e7e45fd5a3d5c8337a7a83519ba4fbd2957ae
 F src/os_unix.c 83759942d1ea8d59daed50901c123016f845fada74caf3496b8a2537c9a08838
 F src/os_win.c 1227a3e962b017d676d985a8aec0d64f273991931ea0a0b99773651102f62df4
 F src/os_win.h c06ccc3a090cf54202ea58981c298817f3309d4c9e4d52ad0a02927346493721
-F src/pager.c f88073a00933c885b167b6d25afc4d1b83c1706943572f5653fb64a7f5bde105
+F src/pager.c a2b8fa68af33b9942603e5d81fddd3a14b349eee7ef01938748855cb438ec312
 F src/pager.h 6137149346e6c8a3ddc1eeb40aee46381e9bc8b0fcc6dda8a1efde993c2275b8
 F src/parse.y d5a3c5b0277a441c38b35071c05e2b61ff5fc918a63309c809f4b6706179c320
 F src/pcache.c 588cc3c5ccaaadde689ed35ce5c5c891a1f7b1f4d1f56f6cf0143b74d8ee6484
@@ -1448,7 +1448,7 @@ F test/misc6.test 953cc693924d88e6117aeba16f46f0bf5abede91
 F test/misc7.test d595599972ec0b436985f0f02f243b68500ffc977b9b3194ec66c0866cfddcab
 F test/misc8.test 08d2380bc435486b12161521f225043ac2be26f02471c2c1ea4cac0b1548edbd
 F test/misuse.test 859f37014d9824ca66bd90c36372c08c80c51c9593a7cfa8a31d4f92cd4d5b7f
-F test/mjournal.test 3570ca4241b0d19ca1f47616f5293722f7c2fc9f2d359fc7933d67ef51dc2137
+F test/mjournal.test 39677dd63cacb12aaf62173ef4ab0e9b7af3cdabdeb0ea335d17d1f22c4bb84b
 F test/mmap1.test 18de3fd7b70a777af6004ca2feecfcdd3d0be17fa04058e808baf530c94b1a1d
 F test/mmap2.test dba452dc7db91e9df10f70bdd73dc4190c7b8ee7b5133b4684f04277ada0b9ac
 F test/mmap3.test b3c297e78e6a8520aafcc1a8f140535594c9086e
@@ -1722,7 +1722,7 @@ F test/temptable2.test 76821347810ecc88203e6ef0dd6897b6036ac788e9dd3e6b04fd4d163
 F test/temptable3.test d11a0974e52b347e45ee54ef1923c91ed91e4637
 F test/temptrigfault.tes fc5918e64f3867156fefe7cfca9d8e1f495134a5229b2b511b0dc11c07f2eab4
 F test/temptrigger.test a00f258ed8d21a0e8fd4f322f15e8cfb5cef2e43655670e07a753e3fb4769d61
-F test/tester.tcl 2d943f60200e0a36bcd3f1f0baf181a751cd3604ef6b6bd4c8dc39b4e8a53116
+F test/tester.tcl dfd8dd05b54bc493a8db6cc1263ee364c36e3c27fab258dad7305cd79b948f3f
 F test/testloadext.c 862b848783eaed9985fbce46c65cd214664376b549fae252b364d5d1ef350a27
 F test/testrunner.tcl 8171b887ab78d55b73fd971e22690eff0fabec913fbf3b5fbeaf159b3f00b2dc x
 F test/testrunner_data.tcl 4b3cf036d39c98b83f9289a5c047eb01089c932d4f59a81bf764f6800589b959
@@ -2208,8 +2208,11 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 5482548b6bca2827246cd2cc928c89a953365da5ebe42d3a2876371ec6880f1b
-R b0d4c11e49460a97cc1177e498ab6558
+P 395cbed103af08e3a4fafd9a3041205535e019d4aeb58b46c4a7e4f3bca545c9
+R 73c1d4bd2cc78546d34368e3afe8224e
+T *branch * del-super-filter
+T *sym-del-super-filter *
+T -sym-trunk *
 U dan
-Z d794be864d6f3f101d67593b1a8e2b43
+Z b9d7aa6744ea09c029dff1ca3aa0a964
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.tags b/manifest.tags
index bec971799ff1b8ee641c166c7aeb22d12c785393..754dd8c11eef5e58d54105b30692cda5ee2c90ef 100644 (file)
--- a/manifest.tags
+++ b/manifest.tags
@@ -1,2 +1,2 @@
-branch trunk
-tag trunk
+branch del-super-filter
+tag del-super-filter

diff --git a/manifest.uuid b/manifest.uuid
index b9c517a371927e7671fcb787cda541e8d904f86a..23f46461ad6555bdae166c681ecbc0054d7c4a77 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-395cbed103af08e3a4fafd9a3041205535e019d4aeb58b46c4a7e4f3bca545c9
+0cdde6755837935e4feaa4367a0b107e363582adc8112a91dc7416f1100ae3aa

diff --git a/src/pager.c b/src/pager.c
index 67b5b3673ed9622d4e8b24ea7d74e4df7248ad82..88a774a4910dc736f8aad6113af1d6acd3aa3888 100644 (file)
--- a/src/pager.c
+++ b/src/pager.c
@@ -2499,6 +2499,38 @@ static int pager_playback_one_page(
   return rc;
 }
 
+/* 
+** Check if zSuper is a valid super-journal name. There are two valid
+** formats:
+**
+**   + The 3rd and 4th last bytes of the filename are ".9", and the 
+**     following 2 bytes are hex digits. This is a file created in 8.3 
+**     filenames
+**
+**   + The 3rd last byte of the filename is "9" and the filename
+**     contains the string "-mj" starting at the 12th last byte.
+**     All bytes following the "-mj" are hex digits.
+**
+** If the filename matches either of these patterns, return non-zero. 
+** Otherwise, return zero.
+*/
+static int pagerIsSuperJrnlName(const char *zSuper){
+  const int nSuper = sqlite3Strlen30(zSuper);
+  int ii;
+
+  if( nSuper<4 ) return 0;
+  if( zSuper[nSuper-3]!='9' ) return 0;
+  if( sqlite3Isxdigit(zSuper[nSuper-2])==0 ) return 0;
+  if( sqlite3Isxdigit(zSuper[nSuper-1])==0 ) return 0;
+  if( zSuper[nSuper-4]=='.' ) return 1;
+  if( nSuper<12 ) return 0;
+  if( memcmp(&zSuper[nSuper-12], "-mj", 3) ) return 0;
+  for(ii=nSuper-9; ii<nSuper; ii++){
+    if( sqlite3Isxdigit(zSuper[ii])==0 ) return 0;
+  }
+  return 1;
+}
+
 /*
 ** Parameter zSuper is the name of a super-journal file. A single journal
 ** file that referred to the super-journal file has just been rolled back.
@@ -2552,6 +2584,14 @@ static int pager_delsuper(Pager *pPager, const char *zSuper){
   char *zJournal;           /* Pointer to one journal within MJ file */
   char *zFree = 0;          /* Free this buffer */
 
+  /* Check if this looks like a real super-journal name. If it does not,
+  ** return SQLITE_OK without attempting to delete it. This is to limit
+  ** the degree to which a crafted journal file can be used to cause
+  ** SQLite to delete arbitrary files. */
+  if( pagerIsSuperJrnlName(zSuper)==0 ){
+    return SQLITE_OK;
+  }
+
   /* Allocate space for both the pJournal and pSuper file descriptors.
   ** If successful, open the super-journal file for reading.
   */

diff --git a/test/mjournal.test b/test/mjournal.test
index 07d26a55d5c9b9808e4ba547427dff05cdc37953..dff717a098fa31a992b7dea15a32248c42da49dc 100644 (file)
--- a/test/mjournal.test
+++ b/test/mjournal.test
@@ -213,6 +213,68 @@ do_execsql_test 3.3 {
   SELECT type, name, tbl_name, sql FROM sqlite_schema
 } {table t1 t1 {CREATE TABLE t1(x, y)}}
 
+#-------------------------------------------------------------------------
+reset_db
+do_execsql_test 4.0 {
+  CREATE TABLE t1(x INTEGER PRIMARY KEY);
+}
+db_save_and_close
 
+proc append_super_journal {jrnl mjname} {
+  binary scan $mjname c* bytes
+  set cksum 0
+  foreach b $bytes { incr cksum $b }
+  set fd [open $jrnl a+]
+  fconfigure $fd -translation binary -encoding iso8859-1
+  puts -nonewline $fd $mjname
+  puts -nonewline $fd [binary format I [string length $mjname]]
+  puts -nonewline $fd [binary format I $cksum]
+  puts -nonewline $fd [binary decode hex "d9d505f920a163d7"]
+  close $fd
+}
+
+foreach {tn mjname bDel} {
+  1 notamasterjournal   0
+  2 master.9FF          1
+  3 master-mj1234569AA  1
+  4 master-mj123456_AA  0
+  5 abc                 0
+  6 masterr9FF          0
+  7 master-fj123456_AA  0
+  8 -mj1234569AA        1
+  9 1-mj1234569AA       1
+  10 .9AB               1
+  11 master.9X2         0
+  12 master.92X         0
+  13 master-mj12G4569AA 0
+} {
+  db_restore_and_reopen
+  execsql {
+    PRAGMA synchronous = OFF;
+    BEGIN;
+      INSERT INTO t1 DEFAULT VALUES;
+  }
+
+  db_save_and_close
+  db_restore
+
+  append_super_journal test.db-journal $mjname
+  set fd [open $mjname w]
+  puts $fd "helloworld"
+  close $fd
+
+  sqlite3 db test.db
+  do_test 4.$tn.1 {
+    execsql { SELECT * FROM t1 }
+    file exists $mjname
+  } [expr !$bDel]
+  do_test 4.$tn.2 {
+    file exists test.db-journal
+  } {0}
+  
+  forcedelete $mjname
+}
 
 finish_test
+
+

diff --git a/test/tester.tcl b/test/tester.tcl
index 856df54215d638e0107da09f9779ffade6e7b3a3..c4f35fccbac96b93133cd1edb82eb7449ccfeb93 100644 (file)
--- a/test/tester.tcl
+++ b/test/tester.tcl
@@ -291,9 +291,9 @@ proc do_delete_file {force args} {
       for {set i 0} {$i<$nRetry} {incr i} {
         set rc [catch {
           if {$force} {
-            file delete -force $filename
+            file delete -force -- $filename
           } else {
-            file delete $filename
+            file delete -- $filename
           }
         } msg]
         if {$rc==0} break
@@ -302,9 +302,9 @@ proc do_delete_file {force args} {
       if {$rc} { error $msg }
     } else {
       if {$force} {
-        file delete -force $filename
+        file delete -force -- $filename
       } else {
-        file delete $filename
+        file delete -- $filename
       }
     }
   }