On Fri, 4 Aug 2017, Peter Da Silva wrote:
On 8/4/17, 8:29 AM, "sqlite-users on behalf of Bob Friesenhahn"
<sqlite-users-boun...@mailinglists.sqlite.org on behalf of bfrie...@simple.dallas.tx.us>
wrote:
Lazy programmers who request such things are of the same ilk which use
programming practices resulting in SQL injection attacks. Sqlite should not
promote such practices.
Then require a fully qualified path and extension, and don’t have a search path
for DLLs at all.
Otherwise you’re just haggling over where to draw the line.
The operating system (insert operating system used here) has an
operating-system specific algorithm it uses when it searches for
shared libraries which were specified using only the file name.
Whether 'lib' at the front of the file name is significant to its
searching behavior depends on the operating system used.
I have not checked what sqlite actualy does, but for security, it
should be doing its own 'stat' to find the existing module, and then
open it via an explicit path in order to defeat any operating-system
specific behavior.
If sqlite were to simply issue load requests via dlopen() (or
equivalent) with various permutations, then it would become subject to
the varying behavior of different systems. For example, a program
which uses sqlite as part of a directory indexer which is indexing a
directory which contains uploads from untrusted users could be
compromised.
Sqlite does not really have a way to know if a module in the current
directory (the directory which just happened to be current when the
request was made) should be trusted. To be secure, sqlite should
insist that the load request be something other than a bare module
name because then the responsibility is put on the user of sqlite.
Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
