From: drh Date: Thu, 20 Mar 2008 18:00:49 +0000 (+0000) Subject: In the sqlite3_limit() interface, take out the feature where zero means X-Git-Tag: version-3.6.10~1277 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f47ce56c493d91554f52ff39f5bd9af258f2985d;p=thirdparty%2Fsqlite.git In the sqlite3_limit() interface, take out the feature where zero means use the hard upper bound. If an application wants the hard upper bound, it can set the limit to 0x7fffffff and the bound will be automatically truncated. (CVS 4900) FossilOrigin-Name: d6be1f495ec57158f7bcca3e32145a9a8fde723a --- diff --git a/manifest b/manifest index d1c49637ab..a48d5812b2 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Reinstate\stest\scases\sfor\sthe\slimit\stests.\s\sThe\ssqlite3_limit()\sAPI\sis\snow\ntested\sand\sworking.\s(CVS\s4899) -D 2008-03-20T16:30:18 +C In\sthe\ssqlite3_limit()\sinterface,\stake\sout\sthe\sfeature\swhere\szero\smeans\nuse\sthe\shard\supper\sbound.\s\sIf\san\sapplication\swants\sthe\shard\supper\sbound,\nit\scan\sset\sthe\slimit\sto\s0x7fffffff\sand\sthe\sbound\swill\sbe\sautomatically\ntruncated.\s(CVS\s4900) +D 2008-03-20T18:00:49 F Makefile.arm-wince-mingw32ce-gcc ac5f7b2cef0cd850d6f755ba6ee4ab961b1fadf7 F Makefile.in cf434ce8ca902e69126ae0f94fc9f7dc7428a5fa F Makefile.linux-gcc d53183f4aa6a9192d249731c90dbdffbd2c68654 @@ -104,7 +104,7 @@ F src/insert.c 358c80592c20a61a8d5b4a127215b5e25de652f4 F src/journal.c 807bed7a158979ac8d63953e1774e8d85bff65e2 F src/legacy.c cb1939fdeb91ea88fb44fbd2768a10e14bc44650 F src/loadext.c f26b22f7c84153c9d5dbd7c240848823c6e6b6dc -F src/main.c 24711c8e40107aad521eaa56ddf16068222061db +F src/main.c f9c9a666f0cc5f5a4b768e48d12c1d1e65bf9b36 F src/malloc.c 60e392a4c12c839517f9b0db7b995f825444fb35 F src/md5.c c5fdfa5c2593eaee2e32a5ce6c6927c986eaf217 F src/mem1.c fc716ff521b6dd3e43eaa211967383308800e70a @@ -138,7 +138,7 @@ F src/random.c 8b6ab5418cf0f4dde551730825d67da1457c2b3c F src/select.c 2a0f383a16c780b8ee8108e994c2f6c4f82233a9 F src/server.c 087b92a39d883e3fa113cae259d64e4c7438bc96 F src/shell.c 22297fffa6f00a6c6d44020fa13b1184a1bb372d -F src/sqlite.h.in 8c9d194ccb6b2b0d00078192c2c4f92d46a7abe4 +F src/sqlite.h.in b18c4cb006f16237aa044200ddd6a16cf4b7457c F src/sqlite3ext.h faacd0e6a81aabee0861c6d7883c9172e74ef5b3 F src/sqliteInt.h c96aca7c69ba463ee09eac19b1ac9974752b467e F src/sqliteLimit.h eecbc288b410ae5565e71aaa4a439aae57bb0707 @@ -450,7 +450,7 @@ F test/speed1.test 22e1b27af0683ed44dcd2f93ed817a9c3e65084a F test/speed2.test 53177056baf6556dcbdcf032bbdfc41c1aa74ded F test/speed3.test e312d7e442a5047d730569fdae2ba99bc94e1a13 F test/speed4.test 20d8ea20bea3ca09c3ef3b5ec820a17e58e132cb -F test/sqllimits1.test 9ecac01f2f51e3f5f7407a53af2483d096a3f540 +F test/sqllimits1.test 844c594775e5e34b3fdfea09ff52e2ea273834bf F test/subquery.test 8203f85db56ba022a57a0589890090c8feed4e59 F test/subselect.test 974e87f8fc91c5f00dd565316d396a5a6c3106c4 F test/substr.test 4be572ac017143e59b4058dc75c91a0d0dc6d4e0 @@ -624,7 +624,7 @@ F www/tclsqlite.tcl 8be95ee6dba05eabcd27a9d91331c803f2ce2130 F www/vdbe.tcl 87a31ace769f20d3627a64fa1fade7fed47b90d0 F www/version3.tcl 890248cf7b70e60c383b0e84d77d5132b3ead42b F www/whentouse.tcl fc46eae081251c3c181bd79c5faef8195d7991a5 -P 53b4a09040341a981b2f33399a1ddcee952ba3ef -R aff205d8a20c135ccafeedae04a2e788 +P 4c4be4c3c8aae97f1d85442b25afba9f0b02c8b3 +R 10f06e62355868edd7f0d48570d09623 U drh -Z e01b238f8fcef143071d3d310a36fa66 +Z 5ee7e525e24d3023d636da94fdb9521e diff --git a/manifest.uuid b/manifest.uuid index c1383387ce..04165108c0 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -4c4be4c3c8aae97f1d85442b25afba9f0b02c8b3 \ No newline at end of file +d6be1f495ec57158f7bcca3e32145a9a8fde723a \ No newline at end of file diff --git a/src/main.c b/src/main.c index c472ba320e..140e64a62d 100644 --- a/src/main.c +++ b/src/main.c @@ -14,7 +14,7 @@ ** other files are for internal use by SQLite and should not be ** accessed by users of the library. ** -** $Id: main.c,v 1.427 2008/03/20 16:30:18 drh Exp $ +** $Id: main.c,v 1.428 2008/03/20 18:00:49 drh Exp $ */ #include "sqliteInt.h" #include @@ -1001,9 +1001,7 @@ int sqlite3_limit(sqlite3 *db, int limitId, int newLimit){ } oldLimit = db->aLimit[limitId]; if( newLimit>=0 ){ - if( newLimit==0 ){ - newLimit = aHardLimit[limitId]; - }else if( aHardLimit[limitId]>0 && newLimit>aHardLimit[limitId] ){ + if( newLimit>aHardLimit[limitId] ){ newLimit = aHardLimit[limitId]; } db->aLimit[limitId] = newLimit; diff --git a/src/sqlite.h.in b/src/sqlite.h.in index 6032cf8e5a..158c6e1e33 100644 --- a/src/sqlite.h.in +++ b/src/sqlite.h.in @@ -30,7 +30,7 @@ ** the version number) and changes its name to "sqlite3.h" as ** part of the build process. ** -** @(#) $Id: sqlite.h.in,v 1.297 2008/03/20 16:30:18 drh Exp $ +** @(#) $Id: sqlite.h.in,v 1.298 2008/03/20 18:00:49 drh Exp $ */ #ifndef _SQLITE3_H_ #define _SQLITE3_H_ @@ -1619,14 +1619,14 @@ void sqlite3_randomness(int N, void *P); ** CAPI3REF: Compile-Time Authorization Callbacks {F12500} ** ** This routine registers a authorizer callback with a particular -** database connection, supplied in the first argument. +** [database connection], supplied in the first argument. ** The authorizer callback is invoked as SQL statements are being compiled ** by [sqlite3_prepare()] or its variants [sqlite3_prepare_v2()], ** [sqlite3_prepare16()] and [sqlite3_prepare16_v2()]. At various ** points during the compilation process, as logic is being created ** to perform various actions, the authorizer callback is invoked to ** see if those actions are allowed. The authorizer callback should -** return SQLITE_OK to allow the action, [SQLITE_IGNORE] to disallow the +** return [SQLITE_OK] to allow the action, [SQLITE_IGNORE] to disallow the ** specific action but allow the SQL statement to continue to be ** compiled, or [SQLITE_DENY] to cause the entire SQL statement to be ** rejected with an error. If the authorizer callback returns @@ -1639,9 +1639,9 @@ void sqlite3_randomness(int N, void *P); ** [sqlite3_prepare_v2()] or equivalent call that triggered the ** authorizer will fail with an error message explaining that ** access is denied. If the authorizer code is [SQLITE_READ] -** and the callback returns [SQLITE_IGNORE] then the prepared -** statement is constructed to insert a NULL value in place of -** the table column that would have +** and the callback returns [SQLITE_IGNORE] then the +** [prepared statement] statement is constructed to substitute +** a NULL value in place of the table column that would have ** been read if [SQLITE_OK] had been returned. The [SQLITE_IGNORE] ** return can be used to deny an untrusted user access to individual ** columns of a table. @@ -1654,7 +1654,8 @@ void sqlite3_randomness(int N, void *P); ** parameters to the callback are zero-terminated strings that contain ** additional details about the action to be authorized. ** -** An authorizer is used when preparing SQL statements from an untrusted +** An authorizer is used when [sqlite3_prepare | preparing] +** SQL statements from an untrusted ** source, to ensure that the SQL statements do not try to access data ** that they are not allowed to see, or that they do not try to ** execute malicious statements that damage the database. For @@ -1662,8 +1663,13 @@ void sqlite3_randomness(int N, void *P); ** SQL queries for evaluation by a database. But the application does ** not want the user to be able to make arbitrary changes to the ** database. An authorizer could then be put in place while the -** user-entered SQL is being prepared that disallows everything -** except SELECT statements. +** user-entered SQL is being [sqlite3_prepare | prepared] that +** disallows everything except [SELECT] statements. +** +** Applications that need to process SQL from untrusted sources +** might also consider lowering resource limits using [sqlite3_limit()] +** and limiting database size using the [max_page_count] [PRAGMA] +** in addition to using an authorizer. ** ** Only a single authorizer can be in place on a database connection ** at a time. Each call to sqlite3_set_authorizer overrides the @@ -2166,35 +2172,37 @@ typedef struct sqlite3_stmt sqlite3_stmt; ** new limit for that construct. The function returns the old limit. ** ** If the new limit is a negative number, the limit is unchanged. -** If the new limit is zero, the construct becomes unlimited. Actually, -** there is a hard upper bound on the size of all constructs that -** is determined at compile-time. For the limit category of -** SQLITE_LIMIT_XYZ the hard upper bound is the compile-time -** constant SQLITE_MAX_XYZ. Attempts to increase a limit above its -** hard upper bound are silently truncated. +** For the limit category of SQLITE_LIMIT_XYZ there is a hard upper +** bound set by a compile-time C-preprocess macro named SQLITE_MAX_XYZ. +** (The "_LIMIT_" in the name is changed to "_MAX_".) +** Attempts to increase a limit above its hard upper bound are +** silently truncated to the hard upper limit. ** ** Run time limits are intended for use in applications that manage ** both their own internal database and also databases that are controlled ** by untrusted external sources. An example application might be a ** webbrowser that has its own databases for storing history and ** separate databases controlled by javascript applications downloaded -** of the internet. The internal databases can be given the +** off the internet. The internal databases can be given the ** large, default limits. Databases managed by external sources can ** be given much smaller limits designed to prevent a denial of service -** attach. +** attach. Developers might also want to use the [sqlite3_set_authorizer()] +** interface to further control untrusted SQL. The size of the database +** created by an untrusted script can be contained using the +** [max_page_count] [PRAGMA]. ** ** This interface is currently considered experimental and is subject ** to change or removal without prior notice. ** ** INVARIANTS: ** -** {F12763} A successful call to [sqlite3_limit(D,C,V)] where V is +** {F12762} A successful call to [sqlite3_limit(D,C,V)] where V is ** positive changes the ** limit on the size of construct C in [database connection] D ** to the lessor of V and the hard upper bound on the size ** of C that is set at compile-time. ** -** {F12763} A successful call to [sqlite3_limit(D,C,V)] where V is zero +** {F12764} A successful call to [sqlite3_limit(D,C,V)] where V is zero ** changes the limit on the size of construct C in ** [database connection] D to be the hard upper bound on the size ** of C that is set at compile-time. diff --git a/test/sqllimits1.test b/test/sqllimits1.test index 91f0dfd0e1..c8af8cec52 100644 --- a/test/sqllimits1.test +++ b/test/sqllimits1.test @@ -12,7 +12,7 @@ # This file contains tests to verify that the limits defined in # sqlite source file limits.h are enforced. # -# $Id: sqllimits1.test,v 1.25 2008/03/20 16:30:18 drh Exp $ +# $Id: sqllimits1.test,v 1.26 2008/03/20 18:00:49 drh Exp $ set testdir [file dirname $argv0] source $testdir/tester.tcl @@ -223,8 +223,6 @@ do_test sqllimits1-4.10.1 { sqlite3_limit db SQLITE_LIMIT_VARIABLE_NUMBER -1 } $SQLITE_MAX_VARIABLE_NUMBER - - #-------------------------------------------------------------------- # Test cases sqllimits1-5.* test that the SQLITE_MAX_LENGTH limit # is enforced. @@ -355,10 +353,6 @@ do_test sqllimits1-6.1 { append sql [string repeat $tail $N] catchsql $sql } {1 {String or BLOB exceeded size limit}} -do_test sqllimits1-6.2 { - sqlite3_limit db SQLITE_LIMIT_SQL_LENGTH 0 - catchsql $sql -} {0 1} do_test sqllimits1-6.3 { sqlite3_limit db SQLITE_LIMIT_SQL_LENGTH 50000 set sql "SELECT 1 WHERE 1==1"