989c4161c9
relying on --safe for execution of an untrusted CLI script OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=301
57 lines
1.6 KiB
Diff
57 lines
1.6 KiB
Diff
Index: src/shell.c.in
|
|
==================================================================
|
|
--- src/shell.c.in
|
|
+++ src/shell.c.in
|
|
@@ -1878,11 +1878,11 @@
|
|
"readfile",
|
|
"writefile",
|
|
"zipfile",
|
|
"zipfile_cds",
|
|
};
|
|
- UNUSED_PARAMETER(zA2);
|
|
+ UNUSED_PARAMETER(zA1);
|
|
UNUSED_PARAMETER(zA3);
|
|
UNUSED_PARAMETER(zA4);
|
|
switch( op ){
|
|
case SQLITE_ATTACH: {
|
|
#ifndef SQLITE_SHELL_FIDDLE
|
|
@@ -1893,11 +1893,11 @@
|
|
break;
|
|
}
|
|
case SQLITE_FUNCTION: {
|
|
int i;
|
|
for(i=0; i<ArraySize(azProhibitedFunctions); i++){
|
|
- if( sqlite3_stricmp(zA1, azProhibitedFunctions[i])==0 ){
|
|
+ if( sqlite3_stricmp(zA2, azProhibitedFunctions[i])==0 ){
|
|
failIfSafeMode(p, "cannot use the %s() function in safe mode",
|
|
azProhibitedFunctions[i]);
|
|
}
|
|
}
|
|
break;
|
|
|
|
Index: test/shell2.test
|
|
==================================================================
|
|
--- test/shell2.test
|
|
+++ test/shell2.test
|
|
@@ -188,7 +188,19 @@
|
|
catchcmd ":memory:" {
|
|
SELECT 'unclosed;}
|
|
} {1 {Parse error near line 2: unrecognized token: "'unclosed;"
|
|
SELECT 'unclosed;
|
|
^--- error here}}
|
|
+
|
|
+# Verify that safe mode rejects certain UDFs
|
|
+# Reported at https://sqlite.org/forum/forumpost/07beac8056151b2f
|
|
+do_test shell2-1.4.8 {
|
|
+ catchcmd "-safe :memory:" {
|
|
+ SELECT edit('DoNotCare');}
|
|
+} {1 {line 2: cannot use the edit() function in safe mode}}
|
|
+do_test shell2-1.4.9 {
|
|
+ catchcmd "-safe :memory:" {
|
|
+ SELECT writefile('DoNotCare', x'');}
|
|
+} {1 {line 2: cannot use the writefile() function in safe mode}}
|
|
+
|
|
|
|
finish_test
|
|
|