sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks #87600
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
assignee = None closed_at = <Date 2021-05-02.22:56:58.153> created_at = <Date 2021-03-08.12:53:59.903> labels = ['type-security', '3.8', 'library', '3.9', '3.10'] title = "sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks" updated_at = <Date 2021-05-02.22:56:58.152> user = 'https://github.com/erlend-aasland'
activity = <Date 2021-05-02.22:56:58.152> actor = 'steve.dower' assignee = 'none' closed = True closed_date = <Date 2021-05-02.22:56:58.153> closer = 'steve.dower' components = ['Library (Lib)'] creation = <Date 2021-03-08.12:53:59.903> creator = 'erlendaasland' dependencies =  files = ['49857', '49858'] hgrepos =  issue_num = 43434 keywords = ['patch'] message_count = 13.0 messages = ['388264', '392393', '392702', '392709', '392724', '392735', '392736', '392737', '392742', '392743', '392745', '392748', '392749'] nosy_count = 4.0 nosy_names = ['berker.peksag', 'steve.dower', 'miss-islington', 'erlendaasland'] pr_nums = ['25818', '25822', '25823', '25825', '25826'] priority = 'normal' resolution = 'fixed' stage = 'resolved' status = 'closed' superseder = None type = 'security' url = 'https://bugs.python.org/issue43434' versions = ['Python 3.8', 'Python 3.9', 'Python 3.10']
The text was updated successfully, but these errors were encountered:
The module level connect method is guarded by PySys_Audit(), but sqlite3.Connection.__init__() is not. It is possible to bypass the module level connect() method simply by creating a new sqlite3.Connection object directly.
Easily fixed by either moving the PySys_Audit() check to pysqlite_connection_init(), or by adding an extra check in pysqlite_connection_init().
>>> import sqlite3, sys >>> def hook(s, e): ... if s == 'sqlite3.connect': ... raise PermissionError ... >>> sys.addaudithook(hook) >>> sqlite3.connect(':memory:') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "<stdin>", line 3, in hook PermissionError >>> sqlite3.Connection(':memory:') <sqlite3.Connection object at 0x7f94b0157a80>