The authorizer ([http://www.sqlite.org/c3ref/set_authorizer.html]) is called
to validate every ATTACH command. The third parameter to the authorizer
callback should be the name of the database file that is to be attached.
But if the database name is specified as a parameter:
<blockquote><pre>
ATTACH $dbname AS newdb;
</pre></blockquote>
Then the name of the parameter is sent as the 3rd parameter, not the name
of the file. Or, if the database name is an arbitrary expression, the
3rd parameter is undefined.
The probable fix is to document that whenever anything other than a
string literal is used in an ATTACH statement that the 3rd argument to
authorizer callback is NULL. In other words, a NULL filename to the
SQLITE_ATTACH authorizer signifies that the filename is unknown at
compile-time.
The code needs to be changed to implement the above, and the documentation
needs to be changed to explain that this is how it works.
|