Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Change log typo fixes. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
0e82b7e2ddb95985fb0e40f3e2bcca39 |
| User & Date: | drh 2017-07-25 17:03:27 |
Context
|
2017-07-26
| ||
| 15:06 | Update test metrics on the testing.html page. (check-in: 6fc727b510 user: drh tags: trunk) | |
|
2017-07-25
| ||
| 17:03 | Change log typo fixes. (check-in: 0e82b7e2dd user: drh tags: trunk) | |
| 15:57 | More typo fixes. (check-in: 9fdf1274f9 user: drh tags: trunk) | |
Changes
Changes to pages/bindptr.in.
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
...
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
<p>
Because the pointer is passed in the t1 column of the t1
table as a BLOB (in older versions of SQLite), such a query would have
shown the value of the
pointer in hex. The attacker could then modify that pointer to try to
get the snippet() function to modify memory in some other part of
the application address space instead of the fts3cursor object it
was suppose to be operating on:
<codeblock>
SELECT snippet(x'6092310100000000') FROM t1 WHERE cx MATCH $pattern;
</codeblock>
<p>
Historically, this was not considered a threat. The argument was that if
................................................................................
arbitrary SQL, and so most uses of SQLite are immute to the attack above.
But there are some notable exceptions. To wit:
<ul>
<li><p>
The [https://en.wikipedia.org/wiki/Web_SQL_Database|WebSQL] interface
to webkit allowed any webpage to to run arbitrary SQL in the browser
for Chrome and Safari. That arbitrary SQL was suppose to be run inside
a sandbox where it could do no harm even if exploited, but that sandbox
turned out to be less secure than people supposed. In the spring of 2017,
one team of hackers was able to root an iMac using a long sequence of
exploits, one of which involved corrupting the pointers passed as BLOB
values to the snippet() FTS3 function of an SQLite database running via
the WebSQL interface inside of Safari.
|
|
|
|
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
...
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
<p> Because the pointer is passed in the t1 column of the t1 table as a BLOB (in older versions of SQLite), such a query would have shown the value of the pointer in hex. The attacker could then modify that pointer to try to get the snippet() function to modify memory in some other part of the application address space instead of the fts3cursor object it was supposed to be operating on: <codeblock> SELECT snippet(x'6092310100000000') FROM t1 WHERE cx MATCH $pattern; </codeblock> <p> Historically, this was not considered a threat. The argument was that if ................................................................................ arbitrary SQL, and so most uses of SQLite are immute to the attack above. But there are some notable exceptions. To wit: <ul> <li><p> The [https://en.wikipedia.org/wiki/Web_SQL_Database|WebSQL] interface to webkit allowed any webpage to to run arbitrary SQL in the browser for Chrome and Safari. That arbitrary SQL was supposed to be run inside a sandbox where it could do no harm even if exploited, but that sandbox turned out to be less secure than people supposed. In the spring of 2017, one team of hackers was able to root an iMac using a long sequence of exploits, one of which involved corrupting the pointers passed as BLOB values to the snippet() FTS3 function of an SQLite database running via the WebSQL interface inside of Safari. |
Changes to pages/changes.in.
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
..
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
set xrefChng($date) $nChng
incr nChng
}
chng {2017-08-01 (3.20.0)} {
<li> Update the text of error messages returned by [sqlite3_errmsg()] for some
error codes.
<li> Add new interfaces [pointer passing interfaces].
<li> Backwards-incompatible changes to some extensions in order to take
advantage of the improved security offered by the new
[pointer passing interfaces]:
<ul>
<li> [Extending FTS5] → requires [sqlite3_bind_pointer()] to find
the fts5_api pointer.
<li> [carray(PTR,N)] → requires [sqlite3_bind_pointer()] to set the PTR parameter.
................................................................................
→ requires [sqlite3_bind_pointer()] to set the PTR parameter.
</ul>
<li> Added the [SQLITE_STMT virtual table] extension.
<li> Added the [COMPLETION extension] - designed to suggest
tab-completions for interactive user interfaces. This is a work in progress.
Expect further enhancements in future releases.
<li> Added the [UNION virtual table] extension.
tab-completions for interactive user interfaces. This is a work in progress.
Expect further enhancements in future releases.
<li> The built-in [date and time functions] have been enhanced so that they can be
used within [CHECK constraints], [indexes on expressions], and in the WHERE clause
of a [partial index], provided that they do not use the 'now', 'localtime', or
'utc' keywords. [date/time special case|Futher information].
<li> Added the [sqlite3_prepare_v3()] and [sqlite3_prepare16_v3()] interfaces
with the extra "prepFlags" parameters.
<li> Provide the [SQLITE_PREPARE_PERSISTENT] flag for [sqlite3_prepare_v3()] and
use it to limit [lookaside memory] misuse by [FTS3], [FTS5], and the
[R-Tree extension].
<li> Added the [PRAGMA secure_delete=FAST] command. When secure_delete is
|
|
<
<
|
|
|
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
..
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
set xrefChng($date) $nChng
incr nChng
}
chng {2017-08-01 (3.20.0)} {
<li> Update the text of error messages returned by [sqlite3_errmsg()] for some
error codes.
<li> Add new [pointer passing interfaces].
<li> Backwards-incompatible changes to some extensions in order to take
advantage of the improved security offered by the new
[pointer passing interfaces]:
<ul>
<li> [Extending FTS5] → requires [sqlite3_bind_pointer()] to find
the fts5_api pointer.
<li> [carray(PTR,N)] → requires [sqlite3_bind_pointer()] to set the PTR parameter.
................................................................................
→ requires [sqlite3_bind_pointer()] to set the PTR parameter.
</ul>
<li> Added the [SQLITE_STMT virtual table] extension.
<li> Added the [COMPLETION extension] - designed to suggest
tab-completions for interactive user interfaces. This is a work in progress.
Expect further enhancements in future releases.
<li> Added the [UNION virtual table] extension.
<li> The built-in [date and time functions] have been enhanced so that they can be
used in [CHECK constraints], in [indexes on expressions], and in the WHERE clause
of a [partial indexes], provided that they do not use the 'now', 'localtime', or
'utc' keywords. [date/time special case|Futher information].
<li> Added the [sqlite3_prepare_v3()] and [sqlite3_prepare16_v3()] interfaces
with the extra "prepFlags" parameters.
<li> Provide the [SQLITE_PREPARE_PERSISTENT] flag for [sqlite3_prepare_v3()] and
use it to limit [lookaside memory] misuse by [FTS3], [FTS5], and the
[R-Tree extension].
<li> Added the [PRAGMA secure_delete=FAST] command. When secure_delete is
|