On Tue, 1 Aug 2017, Matt Chambers wrote:
load_extension() has the very sensible behavior of:
So for example, if "samplelib" cannot be loaded, then names like
"samplelib.so" or "samplelib.dylib" or "samplelib.dll" might be tried
also.
I would like to see that extended to include "libsamplelib.so" since that is
the default naming scheme on many *nix platforms. This simple change would
allow me to use the same base library name for my extension on both Windows
and Linux. Otherwise I have to modify my build system to override its
default behavior of adding the lib prefix on Linux.
These conveniences tend to lessen the security of sqlite since this is
arbitrary executable code capable of doing anything the user is able
to do (e.g. delete all files or add a virus). If the user is willing
to be precise, then there is less risk of a compromised module/library
from being introduced.
It should be obvious that calling sqlite3_load_extension() without an
absolute path, or other safeguards, exposes the program to
accidentally loading a file from whatever happens to be the current
directory (perhaps a writeable directory that an attacker was able to
write into).
Apple's OS X and Microsoft Windows always try to load from the current
directory.
Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users