|00:53||• Fixed ticket [9013e13d]: ATTACH authorization fails when database name is not a literal plus 2 other changes (artifact: 6ae935d5 user: drh)|
|00:51||Fix the ATTACH command so that the filename argument can be any expression and so that if authorizer callback gets a NULL pointer for the filename if the filename argument is anything other than a string literal. Ticket [9013e13dba5b58c7] (check-in: e64e1453 user: drh tags: trunk)|
|15:42||• New ticket [9013e13d] ATTACH authorization fails when database name is not a literal. (artifact: 967b0455 user: drh)|
|Title:||ATTACH authorization fails when database name is not a literal|
|Last Modified:||2011-02-04 00:53:22|
|Version Found In:||3.7.5|
The authorizer (http://www.sqlite.org/c3ref/set_authorizer.html) is called
to validate every ATTACH command. The third parameter to the authorizer
callback should be the name of the database file that is to be attached.
But if the database name is specified as a parameter:
ATTACH $dbname AS newdb;
Then the name of the parameter is sent as the 3rd parameter, not the name of the file. Or, if the database name is an arbitrary expression, the 3rd parameter is undefined.
The probable fix is to document that whenever anything other than a string literal is used in an ATTACH statement that the 3rd argument to authorizer callback is NULL. In other words, a NULL filename to the SQLITE_ATTACH authorizer signifies that the filename is unknown at compile-time.
The code needs to be changed to implement the above, and the documentation needs to be changed to explain that this is how it works.