New submission from Erlend Egeberg Aasland <erlend.aasl...@innova.no>:
The module level connect method is guarded by PySys_Audit(), but
sqlite3.Connection.__init__() is not. It is possible to bypass the module level
connect() method simply by creating a new sqlite3.Connection object directly.
Easily fixed by either moving the PySys_Audit() check to
pysqlite_connection_init(), or by adding an extra check in
pysqlite_connection_init().
>>> import sqlite3, sys
>>> def hook(s, e):
... if s == 'sqlite3.connect':
... raise PermissionError
...
>>> sys.addaudithook(hook)
>>> sqlite3.connect(':memory:')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<stdin>", line 3, in hook
PermissionError
>>> sqlite3.Connection(':memory:')
<sqlite3.Connection object at 0x7f94b0157a80>
----------
components: Library (Lib)
files: audit.py
messages: 388264
nosy: berker.peksag, erlendaasland, steve.dower
priority: normal
severity: normal
status: open
title: sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks
type: security
versions: Python 3.10, Python 3.8, Python 3.9
Added file: https://bugs.python.org/file49857/audit.py
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue43434>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
