Skip to content

Commit fd3a1ca

Browse files
beidsoncarlosgcampos
authored andcommitted
Merge r185003 - WebSQL default functions can bypass authorizer.
<rdar://problem/21048994> and https://bugs.webkit.org/show_bug.cgi?id=145463 Reviewed by Sam Weinig and Alexey Proskuryakov. No new tests yet. * platform/sql/SQLiteDatabase.cpp: (WebCore::unauthorizedSQLFunction): Function to install into SQLite to override some built-in functions. (WebCore::SQLiteDatabase::open): (WebCore::SQLiteDatabase::overrideUnauthorizedFunctions): Install function overrides for functions that take arbitrary input that are also meant to be disabled by virtue of them not being whitelisted. * platform/sql/SQLiteDatabase.h:
1 parent 6bea461 commit fd3a1ca

File tree

3 files changed

+44
-1
lines changed

3 files changed

+44
-1
lines changed

Source/WebCore/ChangeLog

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,19 @@
1+
2015-05-29 Brady Eidson <beidson@apple.com>
2+
3+
WebSQL default functions can bypass authorizer.
4+
<rdar://problem/21048994> and https://bugs.webkit.org/show_bug.cgi?id=145463
5+
6+
Reviewed by Sam Weinig and Alexey Proskuryakov.
7+
8+
No new tests yet.
9+
10+
* platform/sql/SQLiteDatabase.cpp:
11+
(WebCore::unauthorizedSQLFunction): Function to install into SQLite to override some built-in functions.
12+
(WebCore::SQLiteDatabase::open):
13+
(WebCore::SQLiteDatabase::overrideUnauthorizedFunctions): Install function overrides for functions that
14+
take arbitrary input that are also meant to be disabled by virtue of them not being whitelisted.
15+
* platform/sql/SQLiteDatabase.h:
16+
117
2015-05-28 Zalan Bujtas <zalan@apple.com>
218

319
Subpixel rendering: Pixel crack in text selection of simple text in <textarea>.

Source/WebCore/platform/sql/SQLiteDatabase.cpp

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,13 @@ WEBCORE_EXPORT const int SQLResultConstraint = SQLITE_CONSTRAINT;
5050

5151
static const char notOpenErrorMessage[] = "database is not open";
5252

53+
static void unauthorizedSQLFunction(sqlite3_context *context, int, sqlite3_value **)
54+
{
55+
const char* functionName = (const char*)sqlite3_user_data(context);
56+
String errorMessage = String::format("Function %s is unauthorized", functionName);
57+
sqlite3_result_error(context, errorMessage.utf8().data(), -1);
58+
}
59+
5360
SQLiteDatabase::SQLiteDatabase()
5461
: m_db(0)
5562
, m_pageSize(-1)
@@ -82,6 +89,8 @@ bool SQLiteDatabase::open(const String& filename, bool forWebSQLDatabase)
8289
return false;
8390
}
8491

92+
overrideUnauthorizedFunctions();
93+
8594
m_openError = sqlite3_extended_result_codes(m_db, 1);
8695
if (m_openError != SQLITE_OK) {
8796
m_openErrorMessage = sqlite3_errmsg(m_db);
@@ -133,6 +142,22 @@ void SQLiteDatabase::close()
133142
m_openErrorMessage = CString();
134143
}
135144

145+
void SQLiteDatabase::overrideUnauthorizedFunctions()
146+
{
147+
std::pair<const char*, int> functionParameters[] = {
148+
{ "rtreenode", 2 },
149+
{ "rtreedepth", 1 },
150+
{ "eval", 1 },
151+
{ "eval", 2 },
152+
{ "printf", -1 },
153+
{ "fts3_tokenizer", 1 },
154+
{ "fts3_tokenizer", 2 },
155+
};
156+
157+
for (auto& functionParameter : functionParameters)
158+
sqlite3_create_function(m_db, functionParameter.first, functionParameter.second, SQLITE_UTF8, (void*)functionParameter.first, unauthorizedSQLFunction, 0, 0);
159+
}
160+
136161
void SQLiteDatabase::interrupt()
137162
{
138163
m_interrupted = true;

Source/WebCore/platform/sql/SQLiteDatabase.h

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -148,7 +148,9 @@ class SQLiteDatabase {
148148
void enableAuthorizer(bool enable);
149149

150150
int pageSize();
151-
151+
152+
void overrideUnauthorizedFunctions();
153+
152154
sqlite3* m_db;
153155
int m_pageSize;
154156

0 commit comments

Comments
 (0)