New submission from Erlend Egeberg Aasland <erlend.aasl...@innova.no>:
The module level connect method is guarded by PySys_Audit(), but sqlite3.Connection.__init__() is not. It is possible to bypass the module level connect() method simply by creating a new sqlite3.Connection object directly. Easily fixed by either moving the PySys_Audit() check to pysqlite_connection_init(), or by adding an extra check in pysqlite_connection_init(). >>> import sqlite3, sys >>> def hook(s, e): ... if s == 'sqlite3.connect': ... raise PermissionError ... >>> sys.addaudithook(hook) >>> sqlite3.connect(':memory:') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "<stdin>", line 3, in hook PermissionError >>> sqlite3.Connection(':memory:') <sqlite3.Connection object at 0x7f94b0157a80> ---------- components: Library (Lib) files: audit.py messages: 388264 nosy: berker.peksag, erlendaasland, steve.dower priority: normal severity: normal status: open title: sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks type: security versions: Python 3.10, Python 3.8, Python 3.9 Added file: https://bugs.python.org/file49857/audit.py _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue43434> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com