Fossil SCM
Relax constraints on the SQL used to set up the ticket schema slightly: (1) Allow creating views whose names begin with "ticket" or "fx_". (2) Allow creating tables whose names begin with "fx_". (3) Allow data changes to tables whose names begin with "fx_".
Commit
93c45cd4e04a59c60dd3477d1ae8f06187a6422263ba15401687798352d89aee
Parent
a759842a7adf9d5…
1 file changed
+28
-5
+28
-5
| --- src/tkt.c | ||
| +++ src/tkt.c | ||
| @@ -373,13 +373,30 @@ | ||
| 373 | 373 | return Th_Eval(g.interp, 0, zConfig, -1); |
| 374 | 374 | } |
| 375 | 375 | |
| 376 | 376 | /* |
| 377 | 377 | ** An authorizer function for the SQL used to initialize the |
| 378 | -** schema for the ticketing system. Only allow CREATE TABLE and | |
| 379 | -** CREATE INDEX for tables whose names begin with "ticket" and | |
| 380 | -** changes to tables whose names begin with "ticket". | |
| 378 | +** schema for the ticketing system. Only allow | |
| 379 | +** | |
| 380 | +** CREATE TABLE | |
| 381 | +** CREATE INDEX | |
| 382 | +** CREATE VIEW | |
| 383 | +** | |
| 384 | +** And for objects in "main" or "repository" whose names | |
| 385 | +** begin with "ticket" or "fx_". Also allow | |
| 386 | +** | |
| 387 | +** INSERT | |
| 388 | +** UPDATE | |
| 389 | +** DELETE | |
| 390 | +** | |
| 391 | +** But only for tables in "main" or "repository" whose names | |
| 392 | +** begin with "ticket", "sqlite_", or "fx_". | |
| 393 | +** | |
| 394 | +** Of particular importance for security is that this routine | |
| 395 | +** disallows data changes on the "config" table, as that could | |
| 396 | +** allow a malicious server to modify settings in such a way as | |
| 397 | +** to cause a remote code execution. | |
| 381 | 398 | */ |
| 382 | 399 | static int ticket_schema_auth( |
| 383 | 400 | void *pNErr, |
| 384 | 401 | int eCode, |
| 385 | 402 | const char *z0, |
| @@ -386,17 +403,20 @@ | ||
| 386 | 403 | const char *z1, |
| 387 | 404 | const char *z2, |
| 388 | 405 | const char *z3 |
| 389 | 406 | ){ |
| 390 | 407 | switch( eCode ){ |
| 408 | + case SQLITE_CREATE_VIEW: | |
| 391 | 409 | case SQLITE_CREATE_TABLE: { |
| 392 | 410 | if( sqlite3_stricmp(z2,"main")!=0 |
| 393 | 411 | && sqlite3_stricmp(z2,"repository")!=0 |
| 394 | 412 | ){ |
| 395 | 413 | goto ticket_schema_error; |
| 396 | 414 | } |
| 397 | - if( sqlite3_strnicmp(z0,"ticket",6)!=0 ){ | |
| 415 | + if( sqlite3_strnicmp(z0,"ticket",6)!=0 | |
| 416 | + && sqlite3_strnicmp(z0,"fx_",3)!=0 | |
| 417 | + ){ | |
| 398 | 418 | goto ticket_schema_error; |
| 399 | 419 | } |
| 400 | 420 | break; |
| 401 | 421 | } |
| 402 | 422 | case SQLITE_CREATE_INDEX: { |
| @@ -403,11 +423,13 @@ | ||
| 403 | 423 | if( sqlite3_stricmp(z2,"main")!=0 |
| 404 | 424 | && sqlite3_stricmp(z2,"repository")!=0 |
| 405 | 425 | ){ |
| 406 | 426 | goto ticket_schema_error; |
| 407 | 427 | } |
| 408 | - if( sqlite3_strnicmp(z1,"ticket",6)!=0 ){ | |
| 428 | + if( sqlite3_strnicmp(z1,"ticket",6)!=0 | |
| 429 | + && sqlite3_strnicmp(z0,"fx_",3)!=0 | |
| 430 | + ){ | |
| 409 | 431 | goto ticket_schema_error; |
| 410 | 432 | } |
| 411 | 433 | break; |
| 412 | 434 | } |
| 413 | 435 | case SQLITE_INSERT: |
| @@ -418,10 +440,11 @@ | ||
| 418 | 440 | ){ |
| 419 | 441 | goto ticket_schema_error; |
| 420 | 442 | } |
| 421 | 443 | if( sqlite3_strnicmp(z0,"ticket",6)!=0 |
| 422 | 444 | && sqlite3_strnicmp(z0,"sqlite_",7)!=0 |
| 445 | + && sqlite3_strnicmp(z0,"fx_",3)!=0 | |
| 423 | 446 | ){ |
| 424 | 447 | goto ticket_schema_error; |
| 425 | 448 | } |
| 426 | 449 | break; |
| 427 | 450 | } |
| 428 | 451 |
| --- src/tkt.c | |
| +++ src/tkt.c | |
| @@ -373,13 +373,30 @@ | |
| 373 | return Th_Eval(g.interp, 0, zConfig, -1); |
| 374 | } |
| 375 | |
| 376 | /* |
| 377 | ** An authorizer function for the SQL used to initialize the |
| 378 | ** schema for the ticketing system. Only allow CREATE TABLE and |
| 379 | ** CREATE INDEX for tables whose names begin with "ticket" and |
| 380 | ** changes to tables whose names begin with "ticket". |
| 381 | */ |
| 382 | static int ticket_schema_auth( |
| 383 | void *pNErr, |
| 384 | int eCode, |
| 385 | const char *z0, |
| @@ -386,17 +403,20 @@ | |
| 386 | const char *z1, |
| 387 | const char *z2, |
| 388 | const char *z3 |
| 389 | ){ |
| 390 | switch( eCode ){ |
| 391 | case SQLITE_CREATE_TABLE: { |
| 392 | if( sqlite3_stricmp(z2,"main")!=0 |
| 393 | && sqlite3_stricmp(z2,"repository")!=0 |
| 394 | ){ |
| 395 | goto ticket_schema_error; |
| 396 | } |
| 397 | if( sqlite3_strnicmp(z0,"ticket",6)!=0 ){ |
| 398 | goto ticket_schema_error; |
| 399 | } |
| 400 | break; |
| 401 | } |
| 402 | case SQLITE_CREATE_INDEX: { |
| @@ -403,11 +423,13 @@ | |
| 403 | if( sqlite3_stricmp(z2,"main")!=0 |
| 404 | && sqlite3_stricmp(z2,"repository")!=0 |
| 405 | ){ |
| 406 | goto ticket_schema_error; |
| 407 | } |
| 408 | if( sqlite3_strnicmp(z1,"ticket",6)!=0 ){ |
| 409 | goto ticket_schema_error; |
| 410 | } |
| 411 | break; |
| 412 | } |
| 413 | case SQLITE_INSERT: |
| @@ -418,10 +440,11 @@ | |
| 418 | ){ |
| 419 | goto ticket_schema_error; |
| 420 | } |
| 421 | if( sqlite3_strnicmp(z0,"ticket",6)!=0 |
| 422 | && sqlite3_strnicmp(z0,"sqlite_",7)!=0 |
| 423 | ){ |
| 424 | goto ticket_schema_error; |
| 425 | } |
| 426 | break; |
| 427 | } |
| 428 |
| --- src/tkt.c | |
| +++ src/tkt.c | |
| @@ -373,13 +373,30 @@ | |
| 373 | return Th_Eval(g.interp, 0, zConfig, -1); |
| 374 | } |
| 375 | |
| 376 | /* |
| 377 | ** An authorizer function for the SQL used to initialize the |
| 378 | ** schema for the ticketing system. Only allow |
| 379 | ** |
| 380 | ** CREATE TABLE |
| 381 | ** CREATE INDEX |
| 382 | ** CREATE VIEW |
| 383 | ** |
| 384 | ** And for objects in "main" or "repository" whose names |
| 385 | ** begin with "ticket" or "fx_". Also allow |
| 386 | ** |
| 387 | ** INSERT |
| 388 | ** UPDATE |
| 389 | ** DELETE |
| 390 | ** |
| 391 | ** But only for tables in "main" or "repository" whose names |
| 392 | ** begin with "ticket", "sqlite_", or "fx_". |
| 393 | ** |
| 394 | ** Of particular importance for security is that this routine |
| 395 | ** disallows data changes on the "config" table, as that could |
| 396 | ** allow a malicious server to modify settings in such a way as |
| 397 | ** to cause a remote code execution. |
| 398 | */ |
| 399 | static int ticket_schema_auth( |
| 400 | void *pNErr, |
| 401 | int eCode, |
| 402 | const char *z0, |
| @@ -386,17 +403,20 @@ | |
| 403 | const char *z1, |
| 404 | const char *z2, |
| 405 | const char *z3 |
| 406 | ){ |
| 407 | switch( eCode ){ |
| 408 | case SQLITE_CREATE_VIEW: |
| 409 | case SQLITE_CREATE_TABLE: { |
| 410 | if( sqlite3_stricmp(z2,"main")!=0 |
| 411 | && sqlite3_stricmp(z2,"repository")!=0 |
| 412 | ){ |
| 413 | goto ticket_schema_error; |
| 414 | } |
| 415 | if( sqlite3_strnicmp(z0,"ticket",6)!=0 |
| 416 | && sqlite3_strnicmp(z0,"fx_",3)!=0 |
| 417 | ){ |
| 418 | goto ticket_schema_error; |
| 419 | } |
| 420 | break; |
| 421 | } |
| 422 | case SQLITE_CREATE_INDEX: { |
| @@ -403,11 +423,13 @@ | |
| 423 | if( sqlite3_stricmp(z2,"main")!=0 |
| 424 | && sqlite3_stricmp(z2,"repository")!=0 |
| 425 | ){ |
| 426 | goto ticket_schema_error; |
| 427 | } |
| 428 | if( sqlite3_strnicmp(z1,"ticket",6)!=0 |
| 429 | && sqlite3_strnicmp(z0,"fx_",3)!=0 |
| 430 | ){ |
| 431 | goto ticket_schema_error; |
| 432 | } |
| 433 | break; |
| 434 | } |
| 435 | case SQLITE_INSERT: |
| @@ -418,10 +440,11 @@ | |
| 440 | ){ |
| 441 | goto ticket_schema_error; |
| 442 | } |
| 443 | if( sqlite3_strnicmp(z0,"ticket",6)!=0 |
| 444 | && sqlite3_strnicmp(z0,"sqlite_",7)!=0 |
| 445 | && sqlite3_strnicmp(z0,"fx_",3)!=0 |
| 446 | ){ |
| 447 | goto ticket_schema_error; |
| 448 | } |
| 449 | break; |
| 450 | } |
| 451 |