Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Further typo fixes in the pointer-passing document. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
3ae0a793ec163c509980bc7ddf8bc7c4 |
User & Date: | drh 2017-07-24 15:29:56.619 |
Context
2017-07-25
| ||
15:40 | Fix typo in the pointer-passing document. (check-in: 2f0174e967 user: drh tags: trunk) | |
2017-07-24
| ||
15:29 | Further typo fixes in the pointer-passing document. (check-in: 3ae0a793ec user: drh tags: trunk) | |
15:19 | Add a couple of sentences to the pointer-passing document to try to clarify that the caller owns the passed pointers. (check-in: 74ab40f1f1 user: drh tags: trunk) | |
Changes
Changes to pages/bindptr.in.
1 | <title>Pointer Passing Interfaces</title> | | | 1 2 3 4 5 6 7 8 9 | <title>Pointer Passing Interfaces</title> <tcl>hd_keywords {pointer passing interfaces} {pointer passing interface} </tcl> <fancy_format> <h1>Overview</h1> <p> |
︙ | ︙ | |||
59 60 61 62 63 64 65 | Passing around pointers as if they were integers or BLOBs is easy, effective, and works well in an environment where the application components are all friendly toward one another. However, passing pointers as integers and BLOBs allows hostile SQL text to forge invalid pointers that can carry out mischief. <p> | | | 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 | Passing around pointers as if they were integers or BLOBs is easy, effective, and works well in an environment where the application components are all friendly toward one another. However, passing pointers as integers and BLOBs allows hostile SQL text to forge invalid pointers that can carry out mischief. <p> For example, the first argument to the [snippet()] function is supposed to be a special column of the FTS3 table that contains a pointer to an fts3cursor object that contains information about the current full text search match. That pointer was formerly passed as a BLOB. For example, if the FTS3 table is named "t1" and has a column named "cx", one might write: <codeblock> |
︙ | ︙ | |||
148 149 150 151 152 153 154 | prevent pointer values from being forged. This was accomplished by having the sender attach a subtype to each pointer using [sqlite3_result_subtype()] and having the receiver verify that subtype using [sqlite3_value_subtype()] and reject pointers that had an incorrect subtype. Since there is no way to attach a subtype to a result using pure SQL, this prevents pointers from being forged using SQL. The only way to send a pointer is to use C code. If an attacker can set a subtype, | | | 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 | prevent pointer values from being forged. This was accomplished by having the sender attach a subtype to each pointer using [sqlite3_result_subtype()] and having the receiver verify that subtype using [sqlite3_value_subtype()] and reject pointers that had an incorrect subtype. Since there is no way to attach a subtype to a result using pure SQL, this prevents pointers from being forged using SQL. The only way to send a pointer is to use C code. If an attacker can set a subtype, then he is also able to forge a pointer without the help of SQLite. <p> Using subtypes to identify valid pointers prevented the WebSQL exploit. But it turned out to be an incomplete solution. <tcl>hd_fragment ptrleak {pointer leak} {pointer leaks}</tcl> <h2>Pointer Leaks</h2> |
︙ | ︙ | |||
216 217 218 219 220 221 222 | value of a pointer will get an SQL NULL answer. The only way to discover whether or not a value has an associated pointer is to use the [sqlite3_value_pointer()] interface with the appropriate type string T. <p> Pointer values read by [sqlite3_value_pointer()] | | | | 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 | value of a pointer will get an SQL NULL answer. The only way to discover whether or not a value has an associated pointer is to use the [sqlite3_value_pointer()] interface with the appropriate type string T. <p> Pointer values read by [sqlite3_value_pointer()] cannot be generated by pure SQL. Hence, it is not possible for SQL to forge pointers. <p> Pointer values generated by [sqlite3_bind_pointer()] and [sqlite3_result_pointer()] cannot be read by pure SQL. Hence, it is not possible for SQL to leak the value of pointers. <p> |
︙ | ︙ | |||
259 260 261 262 263 264 265 | <p> Except, the statement above does not work, thanks to pointer types. The pointer generated by the MATCH operator has a type of "fts3cursor" but the carray() function expects to receives a pointer of type "carray". Because the pointer type on the [sqlite3_result_pointer()] does not match the pointer type on the [sqlite3_value_pointer()] call, [sqlite3_value_pointer()] returns NULL in carray() and thus signals | | | 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 | <p> Except, the statement above does not work, thanks to pointer types. The pointer generated by the MATCH operator has a type of "fts3cursor" but the carray() function expects to receives a pointer of type "carray". Because the pointer type on the [sqlite3_result_pointer()] does not match the pointer type on the [sqlite3_value_pointer()] call, [sqlite3_value_pointer()] returns NULL in carray() and thus signals the CARRAY extension that it has been passed an invalid pointer. <p> Pointer types are static strings, which ideally should be string literals embedded directly in the SQLite API call, not parameters passed in from other functions. Consideration was given to using integer values as the pointer type, but static strings provides a much larger name space which reduces the chance of accidental type-name collisions between |
︙ | ︙ | |||
287 288 289 290 291 292 293 | <p> The pointers that piggy-back on SQL NULL values using the [sqlite3_bind_pointer()], [sqlite3_result_pointer()], and [sqlite3_value_pointer()] interface are transient and ephemeral. The pointers are never written into the database. The pointers will not survive sorting. The latter fact is why there is no sqlite3_column_pointer() interface, since it is impossible to | | | 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 | <p> The pointers that piggy-back on SQL NULL values using the [sqlite3_bind_pointer()], [sqlite3_result_pointer()], and [sqlite3_value_pointer()] interface are transient and ephemeral. The pointers are never written into the database. The pointers will not survive sorting. The latter fact is why there is no sqlite3_column_pointer() interface, since it is impossible to predict whether or not the query planner will insert a sort operation prior to returning a value from a query, so it would be impossible to know if a pointer value inserted into a query by [sqlite3_bind_pointer()] or [sqlite3_result_pointer()] would survive through to the result set. <p> Pointer values must flow directly from their producer into their |
︙ | ︙ |