Bug 33549

Summary: Disallow some sqlite functions that are not safe
Product: WebKit Reporter: Dumitru Daniliuc <dumi>
Component: New BugsAssignee: Dumitru Daniliuc <dumi>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, beidson, dglazkov, michaeln, scarybeasts
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
patch
abarth: review+, dumi: commit-queue-
patch abarth: review+, dumi: commit-queue-

Dumitru Daniliuc
Reported 2010-01-12 13:09:20 PST
Some sqlite functions are not safe, and we should disallow them. The best way to do it is to have a list of whitelisted functions in the authorizer. That would guard us against new functions that might not be safe in future sqlite releases.
Attachments
patch (5.66 KB, patch)
2010-01-12 16:09 PST, Dumitru Daniliuc 		abarth: review+
dumi: commit-queue-
DetailsFormatted DiffDiff
patch (5.92 KB, patch)
2010-01-12 19:18 PST, Dumitru Daniliuc 		abarth: review+
dumi: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Dumitru Daniliuc
Comment 1 2010-01-12 16:09:49 PST
Created attachment 46406 [details] patch
Chris Evans
Comment 2 2010-01-12 16:18:40 PST
Patch looks good to me. Invoking Adam for 2nd look :)
Adam Barth
Comment 3 2010-01-12 16:20:48 PST
Looks reasonable to me. I don't understand this change: - return auth->allowFunction(parameter1); + return auth->allowFunction(parameter2); Also, I'm not an expert on these functions.
Dumitru Daniliuc
Comment 4 2010-01-12 16:22:54 PST
(In reply to comment #3) > Looks reasonable to me. I don't understand this change: > > - return auth->allowFunction(parameter1); > + return auth->allowFunction(parameter2); > > Also, I'm not an expert on these functions. it was a bug. according to http://www.sqlite.org/c3ref/c_alter_table.html the function name is passed in the 4th parameter, not the 3rd.
Adam Barth
Comment 5 2010-01-12 17:22:20 PST
Comment on attachment 46406 [details] patch I'm marking this r+ because this was discussed on webkit-dev. If folks have additional feedback, please me me or Dumitru know.
Dumitru Daniliuc
Comment 6 2010-01-12 19:18:52 PST
Created attachment 46420 [details] patch Same patch, with 3 new functions whitelisted: sqlite_rename_table: used by the ALTER TABLE command sqlite_rename_trigger: used by the ALTER TRIGGER command glob: used by the GLOB operator I've grep'd the sqlite source code for calls to sqlite3CreateFunc() and these were the only 3 "helper functions" that seem to be registered by the sqlite code.
Adam Barth
Comment 7 2010-01-12 19:20:57 PST
Comment on attachment 46420 [details] patch ok
Dumitru Daniliuc
Comment 8 2010-01-12 19:21:25 PST
Forgot to add that if sqlite_rename_table is not whitelisted, then a command like 'ALTER TABLE Blah RENAME to BlahBlah;' will fail. Not whitelisting the other 2 functions has similar consequences.
Dumitru Daniliuc
Comment 9 2010-01-12 19:30:16 PST
Landed as r53177.
Darin Adler
Comment 10 2010-01-12 23:05:29 PST
Comment on attachment 46420 [details] patch Code like this should use a case folding HashSet rather than calling lower each time it calls contains on the HashSet. See examples in DOMImplementation.cpp, ScriptElement.cpp, CrossOriginAccessControl.cpp, RenderEmbeddedObject.cpp, and XMLHttpRequest.cpp. I also see incorrect indenting, 2 spaces instead of 4, in the patch. > + if (m_securityEnabled && !m_whitelistedFunctions.contains(functionName.lower())) > + return SQLAuthDeny; > + > + return SQLAuthAllow; Incorrect indenting here. Two spaces instead of 4.
Dumitru Daniliuc
Comment 11 2010-01-13 12:16:28 PST
(In reply to comment #10) > (From update of attachment 46420 [details]) > Code like this should use a case folding HashSet rather than calling lower each > time it calls contains on the HashSet. See examples in DOMImplementation.cpp, > ScriptElement.cpp, CrossOriginAccessControl.cpp, RenderEmbeddedObject.cpp, and > XMLHttpRequest.cpp. > > I also see incorrect indenting, 2 spaces instead of 4, in the patch. > > > + if (m_securityEnabled && !m_whitelistedFunctions.contains(functionName.lower())) > > + return SQLAuthDeny; > > + > > + return SQLAuthAllow; > > Incorrect indenting here. Two spaces instead of 4. Opened bug 33612 to address Darin's comments.
Note You need to log in before you can comment on or make changes to this bug.