On Tuesday, 18 December, 2018 14:50, Nathan Green <ngr...@inco5.com> wrote:
>Except the problem isn't just in Chrome. Apparently, any system that >allows SQL injection is vulnerable. Since SQLite can be used as a file >format to transport application data >(https://www.sqlite.org/appfileformat.html), >other applications might be also be vulnerable. It's not hard to >conceive of exploiting an application with a "restore from backup" >feature. But this is not an SQLite3 problem. This is a crap design of the application problem as the precondition "any system that allows SQL injection is vulnerable" is an absolute requirement. If you prohibit that precondition, the issue cannot exist (though I suppose it would be possible for a malicious application to deliberately send malicious SQL, but again, this is an application problem, not an SQLite3 problem). >How "remote" the RCE is depends on the application architecture. I'm >thankful that SQLite works really well for my use cases, and also that I have >sandboxed all of my code to run in unprivileged accounts. Allāhu Akbar! (Facing north cuz, well, some other people failed spherical geometry in grade school) Hanging curtains (and closing them) on the bedroom windows to prevent the neighbours over the way from peeping in through the one-way glass and taking pictures of your naughty bits is the prudent thing to do. You can giggle and "move along, nothing to see here" when the peeper over the way puts pictures of your neighbour in the local newspaper because he believed the glass vendors claim of the one-way-ness of the glazing and ignore all the kerfufle that ensues (with a nice glass of single malt and a bag of popcorn). I have been told that it is "not fair" to implement proper security and protect oneself in advance and that one should follow the "Best Practice" and view the world though the fog of short-sightedness so induced in such a manner as to create the most "Oh Shit" moments possible and to avoid giggling when something that cannot possibly affect me affects my lesser prepared neighbours ... --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
