RESOLVED FIXED 33549
Disallow some sqlite functions that are not safe 
https://bugs.webkit.org/show_bug.cgi?id=33549
Summary Disallow some sqlite functions that are not safe
Dumitru Daniliuc
Reported Tuesday, January 12, 2010 9:09:20 PM UTC
Some sqlite functions are not safe, and we should disallow them. The best way to do it is to have a list of whitelisted functions in the authorizer. That would guard us against new functions that might not be safe in future sqlite releases.
Attachments
patch (5.66 KB, patch)
2010-01-12 16:09 PST, Dumitru Daniliuc 		abarth: review+
dumi: commit-queue-
DetailsFormatted DiffDiff
patch (5.92 KB, patch)
2010-01-12 19:18 PST, Dumitru Daniliuc 		abarth: review+
dumi: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Dumitru Daniliuc
Comment 1 Wednesday, January 13, 2010 12:09:49 AM UTC
Created attachment 46406 [details] patch
Chris Evans
Comment 2 Wednesday, January 13, 2010 12:18:40 AM UTC
Patch looks good to me. Invoking Adam for 2nd look :)
Adam Barth
Comment 3 Wednesday, January 13, 2010 12:20:48 AM UTC
Looks reasonable to me. I don't understand this change: - return auth->allowFunction(parameter1); + return auth->allowFunction(parameter2); Also, I'm not an expert on these functions.
Dumitru Daniliuc
Comment 4 Wednesday, January 13, 2010 12:22:54 AM UTC
(In reply to comment #3) > Looks reasonable to me. I don't understand this change: > > - return auth->allowFunction(parameter1); > + return auth->allowFunction(parameter2); > > Also, I'm not an expert on these functions. it was a bug. according to http://www.sqlite.org/c3ref/c_alter_table.html the function name is passed in the 4th parameter, not the 3rd.
Adam Barth
Comment 5 Wednesday, January 13, 2010 1:22:20 AM UTC
Comment on attachment 46406 [details] patch I'm marking this r+ because this was discussed on webkit-dev. If folks have additional feedback, please me me or Dumitru know.
Dumitru Daniliuc
Comment 6 Wednesday, January 13, 2010 3:18:52 AM UTC
Created attachment 46420 [details] patch Same patch, with 3 new functions whitelisted: sqlite_rename_table: used by the ALTER TABLE command sqlite_rename_trigger: used by the ALTER TRIGGER command glob: used by the GLOB operator I've grep'd the sqlite source code for calls to sqlite3CreateFunc() and these were the only 3 "helper functions" that seem to be registered by the sqlite code.
Adam Barth
Comment 7 Wednesday, January 13, 2010 3:20:57 AM UTC
Comment on attachment 46420 [details] patch ok
Dumitru Daniliuc
Comment 8 Wednesday, January 13, 2010 3:21:25 AM UTC
Forgot to add that if sqlite_rename_table is not whitelisted, then a command like 'ALTER TABLE Blah RENAME to BlahBlah;' will fail. Not whitelisting the other 2 functions has similar consequences.
Dumitru Daniliuc
Comment 9 Wednesday, January 13, 2010 3:30:16 AM UTC
Landed as r53177.
Darin Adler
Comment 10 Wednesday, January 13, 2010 7:05:29 AM UTC
Comment on attachment 46420 [details] patch Code like this should use a case folding HashSet rather than calling lower each time it calls contains on the HashSet. See examples in DOMImplementation.cpp, ScriptElement.cpp, CrossOriginAccessControl.cpp, RenderEmbeddedObject.cpp, and XMLHttpRequest.cpp. I also see incorrect indenting, 2 spaces instead of 4, in the patch. > + if (m_securityEnabled && !m_whitelistedFunctions.contains(functionName.lower())) > + return SQLAuthDeny; > + > + return SQLAuthAllow; Incorrect indenting here. Two spaces instead of 4.
Dumitru Daniliuc
Comment 11 Wednesday, January 13, 2010 8:16:28 PM UTC
(In reply to comment #10) > (From update of attachment 46420 [details]) > Code like this should use a case folding HashSet rather than calling lower each > time it calls contains on the HashSet. See examples in DOMImplementation.cpp, > ScriptElement.cpp, CrossOriginAccessControl.cpp, RenderEmbeddedObject.cpp, and > XMLHttpRequest.cpp. > > I also see incorrect indenting, 2 spaces instead of 4, in the patch. > > > + if (m_securityEnabled && !m_whitelistedFunctions.contains(functionName.lower())) > > + return SQLAuthDeny; > > + > > + return SQLAuthAllow; > > Incorrect indenting here. Two spaces instead of 4. Opened bug 33612 to address Darin's comments.
Note You need to log in before you can comment on or make changes to this bug.