3.31.0 Request TRUSTED_SCHEMA and pragma's

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

3.31.0 Request TRUSTED_SCHEMA and pragma's

Keith Medcalf

Richard,

The TRUSTED_SCHEMA setting works really well but I have noticed one problem (there may be more, but I haven't run across any yet) with it that is perhaps easy to address, though it needs to be done properly.  That is perhaps adding an innocuous flag to pragma definitions in mkpragmatab.tcl so that it can be carried though into the vtable code that handles pragma_<pragma_name> xConnect method.

This would permit pragma's such as table_info (for example) to be marked as innocuous so that pragma_table_info could be used in a view even when the schema is untrusted.

Whether a directonly flag is required I do not know but, for example, one might never want to have pragma_integrity_check used in a view, though I presently don't really see any need for that and the behaviour of those pragma vtabs might not need changing at all from the current behaviour.

Just some idea's (and I don't know TCL that well, and it would require the addition of the flags in the C code, or I would submit some patch ideas myself).

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.




_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: 3.31.0 Request TRUSTED_SCHEMA and pragma's

Richard Hipp-3
On 1/21/20, Keith Medcalf <[hidden email]> wrote:

>
> Richard,
>
> The TRUSTED_SCHEMA setting works really well but I have noticed one problem
> (there may be more, but I haven't run across any yet) with it that is
> perhaps easy to address, though it needs to be done properly.  That is
> perhaps adding an innocuous flag to pragma definitions in mkpragmatab.tcl so
> that it can be carried though into the vtable code that handles
> pragma_<pragma_name> xConnect method.
>
> This would permit pragma's such as table_info (for example) to be marked as
> innocuous so that pragma_table_info could be used in a view even when the
> schema is untrusted.

That would potentially leak information about the schemas of other
attached database files.  It seems like a harmless information leak,
but it is a leak nevertheless.

If you are setting untrusted schema (as you probably should) but you
need to use pragma virtual tables inside of triggers and views,
consider putting them inside TEMP triggers and views.  TEMP triggers
and views, because they must originate in the application itself, are
always trusted.

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: 3.31.0 Request TRUSTED_SCHEMA and pragma's

Keith Medcalf

On Tuesday, 21 January, 2020 05:28, Richard Hipp <[hidden email]> wrote:

>On 1/21/20, Keith Medcalf <[hidden email]> wrote:

>> Richard,
>>
>> The TRUSTED_SCHEMA setting works really well but I have noticed one
>> problem (there may be more, but I haven't run across any yet) with
>> it that is perhaps easy to address, though it needs to be done
>> properly.  That is perhaps adding an innocuous flag to pragma
>> definitions in mkpragmatab.tcl so that it can be carried though
>> into the vtable code that handles pragma_<pragma_name> xConnect
>> method.
>>
>> This would permit pragma's such as table_info (for example) to be
>> marked as innocuous so that pragma_table_info could be used in a
>> view even when the schema is untrusted.

> That would potentially leak information about the schemas of other
> attached database files.  It seems like a harmless information leak,
> but it is a leak nevertheless.
>
> If you are setting untrusted schema (as you probably should) but you
> need to use pragma virtual tables inside of triggers and views,
> consider putting them inside TEMP triggers and views.  TEMP triggers
> and views, because they must originate in the application itself, are
> always trusted.

Done, tested, and putting those views in temp works just fine.

And yes, I agree that not marking the pragma vtabs as innocuous is the right thing.

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.



_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users