On Fri, Aug 4, 2017 at 6:29 AM, Bob Friesenhahn < bfrie...@simple.dallas.tx.us> wrote:
> On Fri, 4 Aug 2017, Dominique Devienne wrote: > >> >> I really don't see what's controversial with Matt's request :) >> >> It's not like load-extension is a performance-critical operation, that >> trying an extra load is that expensive. >> And the security consideration that an "attacker" could make it load his >> own library instead, but using a >> different name tried before the actual one is moot IMHO, since extension >> loading is by nature unsafe. >> >> In short, I support Matt's request and I hope DRH considers it seriously. >> FWIW :). --DD >> > > It is true that sqlite normally only needs to load an extension once per > invocation. However, loading an extension incurs a cost in that > several/many 'stat' operations on the filesystem are necessary in order to > find the module unless the full path to it was given (use 'strace', > 'truss', or 'dtruss' to see this in action). The security implications can > be severe on some popular operating systems. > > As I mentioned before, two very popular desktop OSs (Microsoft Windows and > Apple's OS X) have a defined pattern in that they will search the current > directory for a module by default. And then search the whole path. certainly not a cost savings, don't see the point. > Hopefully it should sink in that if one requests loading the extension > while the process current directory is currently in a potentially 'hostile' > directory that this may lead to the compromise of the account of the user > ID executing sqlite because arbitrary binary code can be injected. > And how does this help avoid that? export LD_LIBRARY_PATH=. and it is the same behavior as windows... > > Lazy programmers who request such things are of the same ilk which use > programming practices resulting in SQL injection attacks. Sqlite should > not promote such practices. > > Probably the extension is not in a well known place, so a path of possible places is still going to be checked. > Bob > -- > Bob Friesenhahn > bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ > GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users