On Thu, Aug 3, 2017 at 10:42 AM, Bob Friesenhahn < bfrie...@simple.dallas.tx.us> wrote:
> On Tue, 1 Aug 2017, Matt Chambers wrote: > > load_extension() has the very sensible behavior of: >> >>> So for example, if "samplelib" cannot be loaded, then names like >>> "samplelib.so" or "samplelib.dylib" or "samplelib.dll" might be tried >>> also. >>> >> >> I would like to see that extended to include "libsamplelib.so" since that >> is >> the default naming scheme on many *nix platforms. This simple change would >> allow me to use the same base library name for my extension on both >> Windows >> and Linux. Otherwise I have to modify my build system to override its >> default behavior of adding the lib prefix on Linux. >> > > These conveniences tend to lessen the security of sqlite since this is > arbitrary executable code capable of doing anything the user is able to do > (e.g. delete all files or add a virus). If the user is willing to be > precise, then there is less risk of a compromised module/library from being > introduced. > > then it shouldn't try any alternatives. OR it should always be 'lib<base>.so' which would also be acceptable. > It should be obvious that calling sqlite3_load_extension() without an > absolute path, or other safeguards, exposes the program to accidentally > loading a file from whatever happens to be the current directory (perhaps a > writeable directory that an attacker was able to write into). > > Apple's OS X and Microsoft Windows always try to load from the current > directory. > > Bob > -- > Bob Friesenhahn > bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ > GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ > > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
