Bug 33549

Summary: Disallow some sqlite functions that are not safe
Product: WebKit Reporter: Dumitru Daniliuc <dumi>
Component: New BugsAssignee: Dumitru Daniliuc <dumi>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, beidson, dglazkov, michaeln, scarybeasts
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
patch
abarth: review+, dumi: commit-queue-
patch abarth: review+, dumi: commit-queue-

Description Dumitru Daniliuc 2010-01-12 13:09:20 PST 
Some sqlite functions are not safe, and we should disallow them. The best way to do it is to have a list of whitelisted functions in the authorizer. That would guard us against new functions that might not be safe in future sqlite releases.
Comment 1 Dumitru Daniliuc 2010-01-12 16:09:49 PST 
Created attachment 46406 [details]
patch
Comment 2 Chris Evans 2010-01-12 16:18:40 PST 
Patch looks good to me.
Invoking Adam for 2nd look :)
Comment 3 Adam Barth 2010-01-12 16:20:48 PST 
Looks reasonable to me.  I don't understand this change:

-              return auth->allowFunction(parameter1);
+             return auth->allowFunction(parameter2);

Also, I'm not an expert on these functions.
Comment 4 Dumitru Daniliuc 2010-01-12 16:22:54 PST 
(In reply to comment #3)
> Looks reasonable to me.  I don't understand this change:
> 
> -              return auth->allowFunction(parameter1);
> +             return auth->allowFunction(parameter2);
> 
> Also, I'm not an expert on these functions.

it was a bug. according to http://www.sqlite.org/c3ref/c_alter_table.html the function name is passed in the 4th parameter, not the 3rd.
Comment 5 Adam Barth 2010-01-12 17:22:20 PST 
Comment on attachment 46406 [details]
patch

I'm marking this r+ because this was discussed on webkit-dev.  If folks have additional feedback, please me me or Dumitru know.
Comment 6 Dumitru Daniliuc 2010-01-12 19:18:52 PST 
Created attachment 46420 [details]
patch

Same patch, with 3 new functions whitelisted:

sqlite_rename_table: used by the ALTER TABLE command
sqlite_rename_trigger: used by the ALTER TRIGGER command
glob: used by the GLOB operator

I've grep'd the sqlite source code for calls to sqlite3CreateFunc() and these were the only 3 "helper functions" that seem to be registered by the sqlite code.
Comment 7 Adam Barth 2010-01-12 19:20:57 PST 
Comment on attachment 46420 [details]
patch

ok
Comment 8 Dumitru Daniliuc 2010-01-12 19:21:25 PST 
Forgot to add that if sqlite_rename_table is not whitelisted, then a command like 'ALTER TABLE Blah RENAME to BlahBlah;' will fail. Not whitelisting the other 2 functions has similar consequences.
Comment 9 Dumitru Daniliuc 2010-01-12 19:30:16 PST 
Landed as r53177.
Comment 10 Darin Adler 2010-01-12 23:05:29 PST 
Comment on attachment 46420 [details]
patch

Code like this should use a case folding HashSet rather than calling lower each time it calls contains on the HashSet. See examples in DOMImplementation.cpp, ScriptElement.cpp, CrossOriginAccessControl.cpp, RenderEmbeddedObject.cpp, and XMLHttpRequest.cpp.

I also see incorrect indenting, 2 spaces instead of 4, in the patch.

> +  if (m_securityEnabled && !m_whitelistedFunctions.contains(functionName.lower()))
> +    return SQLAuthDeny;
> +
> +  return SQLAuthAllow;

Incorrect indenting here. Two spaces instead of 4.
Comment 11 Dumitru Daniliuc 2010-01-13 12:16:28 PST 
(In reply to comment #10)
> (From update of attachment 46420 [details])
> Code like this should use a case folding HashSet rather than calling lower each
> time it calls contains on the HashSet. See examples in DOMImplementation.cpp,
> ScriptElement.cpp, CrossOriginAccessControl.cpp, RenderEmbeddedObject.cpp, and
> XMLHttpRequest.cpp.
> 
> I also see incorrect indenting, 2 spaces instead of 4, in the patch.
> 
> > +  if (m_securityEnabled && !m_whitelistedFunctions.contains(functionName.lower()))
> > +    return SQLAuthDeny;
> > +
> > +  return SQLAuthAllow;
> 
> Incorrect indenting here. Two spaces instead of 4.

Opened bug 33612 to address Darin's comments.