Bug: ALTER TABLE RENAME (still) calls authorizer functions

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug: ALTER TABLE RENAME (still) calls authorizer functions

Victor Costan
The description for https://www3.sqlite.org/src/info/eac2aa7dce577f19
includes "Do not invoke the authorizer callback when parsing schema items
as part of ALTER TABLE commands."

In SQLite 3.25.2, the authorizer is called for the internal functions
sqlite_rename_columns, sqlite_rename_table and sqlite_rename_test. Either
the description above is misleading, or the code does not behave as
intended.

This can impact existing deployments, because sqlite_rename_columns and
sqlite_rename_test have not showed up in authorizer calls for 3.24.0.
sqlite_rename_columns is tied with new functionality, but
sqlite_rename_test is used for table-renaming functionality that was
supported before. Example: I've noticed this problem while upgrading SQLite
for Chrome.

In case it helps prioritize, this bug is not urgent for Chrome. We'll just
update our authorizer to allow the new internal functions.

I suspect the solution will involve more blocks like the ones introduced in
the diff I referenced above. Blocks below for convenience.

#ifndef SQLITE_OMIT_AUTHORIZATION
  sqlite3_xauth xAuth = db->xAuth;
#endif

#ifndef SQLITE_OMIT_AUTHORIZATION
  db->xAuth = 0;
#endif

I hope this is useful,
    Victor
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users