diff options
| author | drh <drh@noemail.net> | 2017-05-11 12:05:23 +0000 |
|---|---|---|
| committer | drh <drh@noemail.net> | 2017-05-11 12:05:23 +0000 |
| commit | 2336c935af3200ce80f266e07e12baa80a58ae9f (patch) | |
| tree | 796f30fe988fde9887c00dd422a3f877c9839b7a /src | |
| parent | e69413978827e61d746c8394f8b6345d44d4a6ef (diff) | |
| download | sqlite-2336c935af3200ce80f266e07e12baa80a58ae9f.tar.gz sqlite-2336c935af3200ce80f266e07e12baa80a58ae9f.zip | |
Change the SQLITE_READ authorization call for unreferenced tables to use
an empty string for the column name, as this is less likely to impact legacy
authorization callbacks that assume column names are always non-NULL.
FossilOrigin-Name: 4139953ab528f20fa346409810edcb22adb6c1edc9d22f40b1b077ef842a2441
Diffstat (limited to 'src')
| -rw-r--r-- | src/select.c | 16 | ||||
| -rw-r--r-- | src/sqlite.h.in | 2 |
2 files changed, 13 insertions, 5 deletions
diff --git a/src/select.c b/src/select.c index 57d0b93fb..eabbcc8c9 100644 --- a/src/select.c +++ b/src/select.c @@ -5124,15 +5124,23 @@ int sqlite3Select( SelectDest dest; Select *pSub; - /* Issue SQLITE_READ authorizations with a NULL column name for any tables that + /* Issue SQLITE_READ authorizations with a fake column name for any tables that ** are referenced but from which no values are extracted. Examples of where these ** kinds of null SQLITE_READ authorizations would occur: ** - ** SELECT count(*) FROM t1; -- SQLITE_READ t1 null - ** SELECT t1.* FROM t1, t2; -- SQLITE_READ t2 null + ** SELECT count(*) FROM t1; -- SQLITE_READ t1."" + ** SELECT t1.* FROM t1, t2; -- SQLITE_READ t2."" + ** + ** The fake column name is an empty string. It is possible for a table to + ** have a column named by the empty string, in which case there is no way to + ** distinguish between an unreferenced table and an actual reference to the + ** "" column. The original design was for the fake column name to be a NULL, + ** which would be unambiguous. But legacy authorization callbacks might + ** assume the column name is non-NULL and segfault. The use of an empty string + ** for the fake column name seems safer. */ if( pItem->colUsed==0 ){ - sqlite3AuthCheck(pParse, SQLITE_READ, pItem->zName, pItem->zDatabase, 0); + sqlite3AuthCheck(pParse, SQLITE_READ, pItem->zName, "", pItem->zDatabase); } #if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW) diff --git a/src/sqlite.h.in b/src/sqlite.h.in index 2761ce66d..74edcb56b 100644 --- a/src/sqlite.h.in +++ b/src/sqlite.h.in @@ -2714,7 +2714,7 @@ void sqlite3_randomness(int N, void *P); ** ^When a table is referenced by a [SELECT] but no column values are ** extracted from that table (for example in a query like ** "SELECT count(*) FROM tab") then the [SQLITE_READ] authorizer callback -** is invoked once for that table with a NULL column name. +** is invoked once for that table with a column name that is an empty string. ** ^If the action code is [SQLITE_DELETE] and the callback returns ** [SQLITE_IGNORE] then the [DELETE] operation proceeds but the ** [truncate optimization] is disabled and all rows are deleted individually. |