Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | More typo fixes. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
9fdf1274f941175c132dfaa939248c7c |
User & Date: | drh 2017-07-25 15:57:36.767 |
Context
2017-07-25
| ||
17:03 | Change log typo fixes. (check-in: 0e82b7e2dd user: drh tags: trunk) | |
15:57 | More typo fixes. (check-in: 9fdf1274f9 user: drh tags: trunk) | |
15:40 | Fix typo in the pointer-passing document. (check-in: 2f0174e967 user: drh tags: trunk) | |
Changes
Changes to pages/bindptr.in.
︙ | ︙ | |||
79 80 81 82 83 84 85 | different query, like this: <codeblock> SELECT hex(t1) FROM t1 WHERE cx MATCH $pattern; </codeblock> <p> | | | > | 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 | different query, like this: <codeblock> SELECT hex(t1) FROM t1 WHERE cx MATCH $pattern; </codeblock> <p> Because the pointer is passed in the t1 column of the t1 table as a BLOB (in older versions of SQLite), such a query would have shown the value of the pointer in hex. The attacker could then modify that pointer to try to get the snippet() function to modify memory in some other part of the application address space instead of the fts3cursor object it was suppose to be operating on: <codeblock> SELECT snippet(x'6092310100000000') FROM t1 WHERE cx MATCH $pattern; |
︙ | ︙ | |||
107 108 109 110 111 112 113 | But there are some notable exceptions. To wit: <ul> <li><p> The [https://en.wikipedia.org/wiki/Web_SQL_Database|WebSQL] interface to webkit allowed any webpage to to run arbitrary SQL in the browser for Chrome and Safari. That arbitrary SQL was suppose to be run inside | | | 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 | But there are some notable exceptions. To wit: <ul> <li><p> The [https://en.wikipedia.org/wiki/Web_SQL_Database|WebSQL] interface to webkit allowed any webpage to to run arbitrary SQL in the browser for Chrome and Safari. That arbitrary SQL was suppose to be run inside a sandbox where it could do no harm even if exploited, but that sandbox turned out to be less secure than people supposed. In the spring of 2017, one team of hackers was able to root an iMac using a long sequence of exploits, one of which involved corrupting the pointers passed as BLOB values to the snippet() FTS3 function of an SQLite database running via the WebSQL interface inside of Safari. <li><p> |
︙ | ︙ | |||
161 162 163 164 165 166 167 | <tcl>hd_fragment ptrleak {pointer leak} {pointer leaks}</tcl> <h2>Pointer Leaks</h2> <p> The use of subtypes on pointers prevented pointer forgery using pure SQL. But subtypes do nothing to prevent an attacker from reading the values of pointers. In other words, subtypes on pointer values | | | 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 | <tcl>hd_fragment ptrleak {pointer leak} {pointer leaks}</tcl> <h2>Pointer Leaks</h2> <p> The use of subtypes on pointers prevented pointer forgery using pure SQL. But subtypes do nothing to prevent an attacker from reading the values of pointers. In other words, subtypes on pointer values prevent attacks using SQL statements like this: <codeblock> SELECT snippet(x'6092310100000000') FROM t1 WHERE cx MATCH $pattern; </codeblock> <p> The BLOB argument to snippet() does not have the correct subtype, so the |
︙ | ︙ | |||
335 336 337 338 339 340 341 | <li>Applications need to receive a pointer to the "fts5_api" object in order to add extensions, such as custom tokenizers, to the [FTS5] extension. </ul> <li><p> Pointers should <u>never</u> be exchanged by encoding them as some other SQL datatype, such as integers or BLOBs. Instead, use the interfaces | | | 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 | <li>Applications need to receive a pointer to the "fts5_api" object in order to add extensions, such as custom tokenizers, to the [FTS5] extension. </ul> <li><p> Pointers should <u>never</u> be exchanged by encoding them as some other SQL datatype, such as integers or BLOBs. Instead, use the interfaces designed to facilitate secure pointer passing: [sqlite3_bind_pointer()], [sqlite3_result_pointer()], and [sqlite3_value_pointer()]. <li><p> The use of pointer-passing is an advanced technique that should be used infrequently and cautiously. Pointer-passing should not be used haphazardly or carelessly. Pointer-passing is a sharp tool |
︙ | ︙ |