On Thu, Dec 9, 2010 at 4:03 AM, Roger Binns <rog...@rogerbinns.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/08/2010 11:39 PM, Andy Gibbs wrote: > > It looks like our calls did not go unheeded: it seems now to be fixed > here > > http://www.sqlite.org/src/info/9c19b7ae35. > > The question of why the existing authorizer functionality is > insufficient or has some hole hasn't been answered. > > Whatever Fossil was vulnerable to that needed this emergency fix is > something that could affect the rest of us. > There was no vulnerability in Fossil. The existing authorizer functionality was sufficient as far as we are aware. The new sqlite3_stmt_readonly() interface was added by request of an SQLite Consortium member for reasons totally unrelated to Fossil. But once added, I decided to also use the new interface in Fossil, just as an extra line of defense against malicious SQL in the user-entered ticket query mechanism, and also as an additional test of the new interface in a real application. > > Roger > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk0Am1gACgkQmOOfHg372QSVZgCeKkJf8+HaJW3UzpyKXaop6X65 > BSQAoK+zKVIVs+1d+ZD6TfeHdNRYKcS4 > =kZaH > -----END PGP SIGNATURE----- > _______________________________________________ > sqlite-users mailing list > sqlite-users@sqlite.org > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users > -- D. Richard Hipp d...@sqlite.org _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
