On 27 Aug 2019, at 7:47pm, Jens Alfke <j...@mooseyard.com> wrote:

> Archive files often get transferred between people. Using this format for 
> that purpose would involve opening and reading untrusted SQLite database 
> files. Is that safe? Could maliciously corrupting the schema or other 
> metadata of a database cause security problems for the client accessing the 
> database?

You're thinking of an exploit like a ZIP bomb.  This is a small, 
maliciously-constructed ZIP file which expands into a huge amount of contents.  
A well-known example is a 42 kilobyte zip file which unzips into 4.5 petabytes 
of contents.

Other problems include overwriting in-archive filenames with illegal characters 
like a colon and a slash, then relying on oversights in OS routines to do nasty 
things to your file structure.

I'm going to let the devs handle this one.
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to