/ Check-in [debafa5e]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Test cases for SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | load-ext-security
Files: files | file ages | folders
SHA1: debafa5efd37ac60e030d0963ce8e7c4f51a0f10
User & Date: drh 2016-04-21 01:58:21
Context
2016-04-21
02:27
Add the SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION method for enabling sqlite3_load_extension() while leaving the load_extension() SQL function disabled. check-in: c4f165c4 user: drh tags: trunk
01:58
Test cases for SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION. Closed-Leaf check-in: debafa5e user: drh tags: load-ext-security
01:30
Revert sqlite3_enable_load_extension() to its original long-standing behavior. Add SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION which will enable only the C-API and leave the SQL function disabled. check-in: b2ae5bfa user: drh tags: load-ext-security
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/func.c.

  1385   1385     const char *zProc;
  1386   1386     sqlite3 *db = sqlite3_context_db_handle(context);
  1387   1387     char *zErrMsg = 0;
  1388   1388   
  1389   1389     /* Disallow the load_extension() SQL function unless the SQLITE_LoadExtFunc
  1390   1390     ** flag is set.  See the sqlite3_enable_load_extension() API.
  1391   1391     */
  1392         -  if( (db->flags & SQLITE_LoadExtFunc)==0 ) return;
         1392  +  if( (db->flags & SQLITE_LoadExtFunc)==0 ){
         1393  +    sqlite3_result_error(context, "not authorized", -1);
         1394  +    return;
         1395  +  }
  1393   1396   
  1394   1397     if( argc==2 ){
  1395   1398       zProc = (const char *)sqlite3_value_text(argv[1]);
  1396   1399     }else{
  1397   1400       zProc = 0;
  1398   1401     }
  1399   1402     if( zFile && sqlite3_load_extension(db, zFile, zProc, &zErrMsg) ){

Changes to test/loadext.test.

   107    107     }
   108    108   } {0 0.5}
   109    109   
   110    110   # Test that a second database connection (db2) can load the extension also.
   111    111   #
   112    112   do_test loadext-1.3 {
   113    113     sqlite3 db2 test.db
   114         -  sqlite3_enable_load_extension db2 1
          114  +  sqlite3_db_config db2 SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION 1
   115    115     catchsql {
   116    116       SELECT half(1.0);
   117    117     } db2
   118    118   } {1 {no such function: half}}
   119    119   do_test loadext-1.4 {
   120    120     sqlite3_load_extension db2 $testextension testloadext_init
   121    121     catchsql {
................................................................................
   252    252   do_test loadext-4.2 {
   253    253     sqlite3_enable_load_extension db 1
   254    254     catchsql {
   255    255       SELECT load_extension($::testextension,'testloadext_init')
   256    256     }
   257    257   } {0 {{}}}
   258    258   
          259  +# disable all extension loading
   259    260   do_test loadext-4.3 {
   260    261     sqlite3_enable_load_extension db 0
          262  +  catchsql {
          263  +    SELECT load_extension($::testextension,'testloadext_init')
          264  +  }
          265  +} {1 {not authorized}}
          266  +
          267  +# enable C-api extension loading only.  Show that the SQL function
          268  +# still does not work.
          269  +do_test loadext-4.4 {
          270  +  sqlite3_db_config db SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION 1
   261    271     catchsql {
   262    272       SELECT load_extension($::testextension,'testloadext_init')
   263    273     }
   264    274   } {1 {not authorized}}
   265    275   
   266    276   source $testdir/malloc_common.tcl
   267    277