archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

SQLite3: add DEFENSIVE config for SQLite >= 3.26.0 as a mitigation strategy against potential security flaws

Browse source
This commit is contained in:
bohwaz 2018-12-16 22:52:37 +01:00 committed by Christoph M. Becker
parent 1fd32e9c2f
commit e93259bb23
6 changed files with 75 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
NEWS
View file

@ -32,6 +32,9 @@ PHP NEWS
- sodium: - sodium:
. Fixed bug #77646 (sign_detached() strings not terminated). (Frank) . Fixed bug #77646 (sign_detached() strings not terminated). (Frank)
- SQLite3:
. Added sqlite3.defensive INI directive. (BohwaZ)
- Standard: - Standard:
. Fixed bug #77664 (Segmentation fault when using undefined constant in . Fixed bug #77664 (Segmentation fault when using undefined constant in
custom wrapper). (Laruence) custom wrapper). (Laruence)

1
ext/sqlite3/php_sqlite3.h
View file

@ -28,6 +28,7 @@ extern zend_module_entry sqlite3_module_entry;
ZEND_BEGIN_MODULE_GLOBALS(sqlite3) ZEND_BEGIN_MODULE_GLOBALS(sqlite3)
char *extension_dir; char *extension_dir;
int dbconfig_defensive;
ZEND_END_MODULE_GLOBALS(sqlite3) ZEND_END_MODULE_GLOBALS(sqlite3)
#ifdef ZTS #ifdef ZTS

9
ext/sqlite3/sqlite3.c
View file

@ -81,6 +81,9 @@ static void php_sqlite3_error(php_sqlite3_db_object *db_obj, char *format, ...)
*/ */
PHP_INI_BEGIN() PHP_INI_BEGIN()
STD_PHP_INI_ENTRY("sqlite3.extension_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, extension_dir, zend_sqlite3_globals, sqlite3_globals) STD_PHP_INI_ENTRY("sqlite3.extension_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, extension_dir, zend_sqlite3_globals, sqlite3_globals)
#if SQLITE_VERSION_NUMBER >= 3026000
STD_PHP_INI_ENTRY("sqlite3.defensive", "1", PHP_INI_SYSTEM, OnUpdateBool, dbconfig_defensive, zend_sqlite3_globals, sqlite3_globals)
#endif
PHP_INI_END() PHP_INI_END()
/* }}} */ /* }}} */
@ -166,6 +169,12 @@ PHP_METHOD(sqlite3, open)
sqlite3_set_authorizer(db_obj->db, php_sqlite3_authorizer, NULL); sqlite3_set_authorizer(db_obj->db, php_sqlite3_authorizer, NULL);
} }
#if SQLITE_VERSION_NUMBER >= 3026000
if (SQLITE3G(dbconfig_defensive)) {
sqlite3_db_config(db_obj->db, SQLITE_DBCONFIG_DEFENSIVE, 1, NULL);
}
#endif
if (fullpath != filename) { if (fullpath != filename) {
efree(fullpath); efree(fullpath);
} }

40
ext/sqlite3/tests/sqlite3_defensive.phpt Normal file
View file

@ -0,0 +1,40 @@
--TEST--
SQLite3 defensive mode ini setting
--SKIPIF--
<?php require_once(__DIR__ . '/skipif.inc');
if (SQLite3::version()['versionNumber'] < 3026000) {
die("skip: sqlite3 library version < 3.26: no support for defensive mode");
}
?>
--INI--
sqlite3.defensive=On
--FILE--
<?php
$db = new SQLite3(':memory:');
var_dump($db->exec('CREATE TABLE test (a, b);'));
// This does not generate an error!
var_dump($db->exec('PRAGMA writable_schema = ON;'));
var_dump($db->querySingle('PRAGMA writable_schema;'));
// Should be 1
var_dump($db->querySingle('SELECT COUNT(*) FROM sqlite_master;'));
// Should generate an error!
var_dump($db->querySingle('DELETE FROM sqlite_master;'));
// Should still be 1
var_dump($db->querySingle('SELECT COUNT(*) FROM sqlite_master;'));
?>
--EXPECTF--
bool(true)
bool(true)
int(1)
int(1)
Warning: SQLite3::querySingle(): Unable to prepare statement: 1, table sqlite_master may not be modified in %s on line %d
bool(false)
int(1)

11
php.ini-development
View file

@ -986,8 +986,19 @@ cli_server.color = On
;intl.use_exceptions = 0 ;intl.use_exceptions = 0
[sqlite3] [sqlite3]
; Directory pointing to SQLite3 extensions
; http://php.net/sqlite3.extension-dir
;sqlite3.extension_dir = ;sqlite3.extension_dir =
; SQLite defensive mode flag (only available from SQLite 3.26+)
; When the defensive flag is enabled, language features that allow ordinary
; SQL to deliberately corrupt the database file are disabled. This forbids
; writing directly to the schema, shadow tables (eg. FTS data tables), or
; the sqlite_dbpage virtual table.
; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
; (for older SQLite versions, this flag has no use)
sqlite3.defensive = 1
[Pcre] [Pcre]
;PCRE library backtracking limit. ;PCRE library backtracking limit.
; http://php.net/pcre.backtrack-limit ; http://php.net/pcre.backtrack-limit

11
php.ini-production
View file

@ -993,8 +993,19 @@ cli_server.color = On
;intl.use_exceptions = 0 ;intl.use_exceptions = 0
[sqlite3] [sqlite3]
; Directory pointing to SQLite3 extensions
; http://php.net/sqlite3.extension-dir
;sqlite3.extension_dir = ;sqlite3.extension_dir =
; SQLite defensive mode flag (only available from SQLite 3.26+)
; When the defensive flag is enabled, language features that allow ordinary
; SQL to deliberately corrupt the database file are disabled. This forbids
; writing directly to the schema, shadow tables (eg. FTS data tables), or
; the sqlite_dbpage virtual table.
; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
; (for older SQLite versions, this flag has no use)
sqlite3.defensive = 1
[Pcre] [Pcre]
;PCRE library backtracking limit. ;PCRE library backtracking limit.
; http://php.net/pcre.backtrack-limit ; http://php.net/pcre.backtrack-limit