/ Check-in [4139953a]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Change the SQLITE_READ authorization call for unreferenced tables to use an empty string for the column name, as this is less likely to impact legacy authorization callbacks that assume column names are always non-NULL.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 4139953ab528f20fa346409810edcb22adb6c1edc9d22f40b1b077ef842a2441
User & Date: drh 2017-05-11 12:05:23
Context
2017-05-11
12:27
Improvements to the sqlite3_set_authorizer() documentation. check-in: 47629b19 user: drh tags: trunk
12:05
Change the SQLITE_READ authorization call for unreferenced tables to use an empty string for the column name, as this is less likely to impact legacy authorization callbacks that assume column names are always non-NULL. check-in: 4139953a user: drh tags: trunk
2017-05-10
19:42
Rename fields of the internal AuxData object to make them unique and easier to search for. check-in: 2be9850c user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Show Whitespace Changes Patch

Changes to src/select.c.

  5120   5120     ** (2) Generate code for all sub-queries
  5121   5121     */
  5122   5122     for(i=0; i<pTabList->nSrc; i++){
  5123   5123       struct SrcList_item *pItem = &pTabList->a[i];
  5124   5124       SelectDest dest;
  5125   5125       Select *pSub;
  5126   5126   
  5127         -    /* Issue SQLITE_READ authorizations with a NULL column name for any tables that
         5127  +    /* Issue SQLITE_READ authorizations with a fake column name for any tables that
  5128   5128       ** are referenced but from which no values are extracted. Examples of where these
  5129   5129       ** kinds of null SQLITE_READ authorizations would occur:
  5130   5130       **
  5131         -    **     SELECT count(*) FROM t1;   -- SQLITE_READ t1 null
  5132         -    **     SELECT t1.* FROM t1, t2;   -- SQLITE_READ t2 null
         5131  +    **     SELECT count(*) FROM t1;   -- SQLITE_READ t1.""
         5132  +    **     SELECT t1.* FROM t1, t2;   -- SQLITE_READ t2.""
         5133  +    **
         5134  +    ** The fake column name is an empty string.  It is possible for a table to
         5135  +    ** have a column named by the empty string, in which case there is no way to
         5136  +    ** distinguish between an unreferenced table and an actual reference to the
         5137  +    ** "" column.  The original design was for the fake column name to be a NULL,
         5138  +    ** which would be unambiguous.  But legacy authorization callbacks might
         5139  +    ** assume the column name is non-NULL and segfault.  The use of an empty string
         5140  +    ** for the fake column name seems safer.
  5133   5141       */
  5134   5142       if( pItem->colUsed==0 ){
  5135         -      sqlite3AuthCheck(pParse, SQLITE_READ, pItem->zName, pItem->zDatabase, 0);
         5143  +      sqlite3AuthCheck(pParse, SQLITE_READ, pItem->zName, "", pItem->zDatabase);
  5136   5144       }
  5137   5145   
  5138   5146   #if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW)
  5139   5147       /* Generate code for all sub-queries in the FROM clause
  5140   5148       */
  5141   5149       pSub = pItem->pSelect;
  5142   5150       if( pSub==0 ) continue;

Changes to src/sqlite.h.in.

  2710   2710   ** a NULL value in place of the table column that would have
  2711   2711   ** been read if [SQLITE_OK] had been returned.  The [SQLITE_IGNORE]
  2712   2712   ** return can be used to deny an untrusted user access to individual
  2713   2713   ** columns of a table.
  2714   2714   ** ^When a table is referenced by a [SELECT] but no column values are
  2715   2715   ** extracted from that table (for example in a query like
  2716   2716   ** "SELECT count(*) FROM tab") then the [SQLITE_READ] authorizer callback
  2717         -** is invoked once for that table with a NULL column name.
         2717  +** is invoked once for that table with a column name that is an empty string.
  2718   2718   ** ^If the action code is [SQLITE_DELETE] and the callback returns
  2719   2719   ** [SQLITE_IGNORE] then the [DELETE] operation proceeds but the
  2720   2720   ** [truncate optimization] is disabled and all rows are deleted individually.
  2721   2721   **
  2722   2722   ** An authorizer is used when [sqlite3_prepare | preparing]
  2723   2723   ** SQL statements from an untrusted source, to ensure that the SQL statements
  2724   2724   ** do not try to access data they are not allowed to see, or that they do not