Fossil SCM
Update SQLite to the version that avoids opening databases on file descriptor 2 and that works inside a chroot jail. Fix a potential uninitialized variable in the CGI processing.
Commit
98b16c72c72a0cd0e9eef9369c85af308f90a448
Parent
320f14363e1a37d…
3 files changed
+1
-1
+13
-28
+1
-1
+1
-1
| --- src/cgi.c | ||
| +++ src/cgi.c | ||
| @@ -863,12 +863,12 @@ | ||
| 863 | 863 | g.zIpAddr = mprintf("%s", z); |
| 864 | 864 | } |
| 865 | 865 | |
| 866 | 866 | len = atoi(PD("CONTENT_LENGTH", "0")); |
| 867 | 867 | g.zContentType = zType = P("CONTENT_TYPE"); |
| 868 | + blob_zero(&g.cgiIn); | |
| 868 | 869 | if( len>0 && zType ){ |
| 869 | - blob_zero(&g.cgiIn); | |
| 870 | 870 | if( fossil_strcmp(zType,"application/x-www-form-urlencoded")==0 |
| 871 | 871 | || strncmp(zType,"multipart/form-data",19)==0 ){ |
| 872 | 872 | z = fossil_malloc( len+1 ); |
| 873 | 873 | len = fread(z, 1, len, g.httpIn); |
| 874 | 874 | z[len] = 0; |
| 875 | 875 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -863,12 +863,12 @@ | |
| 863 | g.zIpAddr = mprintf("%s", z); |
| 864 | } |
| 865 | |
| 866 | len = atoi(PD("CONTENT_LENGTH", "0")); |
| 867 | g.zContentType = zType = P("CONTENT_TYPE"); |
| 868 | if( len>0 && zType ){ |
| 869 | blob_zero(&g.cgiIn); |
| 870 | if( fossil_strcmp(zType,"application/x-www-form-urlencoded")==0 |
| 871 | || strncmp(zType,"multipart/form-data",19)==0 ){ |
| 872 | z = fossil_malloc( len+1 ); |
| 873 | len = fread(z, 1, len, g.httpIn); |
| 874 | z[len] = 0; |
| 875 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -863,12 +863,12 @@ | |
| 863 | g.zIpAddr = mprintf("%s", z); |
| 864 | } |
| 865 | |
| 866 | len = atoi(PD("CONTENT_LENGTH", "0")); |
| 867 | g.zContentType = zType = P("CONTENT_TYPE"); |
| 868 | blob_zero(&g.cgiIn); |
| 869 | if( len>0 && zType ){ |
| 870 | if( fossil_strcmp(zType,"application/x-www-form-urlencoded")==0 |
| 871 | || strncmp(zType,"multipart/form-data",19)==0 ){ |
| 872 | z = fossil_malloc( len+1 ); |
| 873 | len = fread(z, 1, len, g.httpIn); |
| 874 | z[len] = 0; |
| 875 |
+13
-28
| --- src/sqlite3.c | ||
| +++ src/sqlite3.c | ||
| @@ -656,11 +656,11 @@ | ||
| 656 | 656 | ** [sqlite3_libversion_number()], [sqlite3_sourceid()], |
| 657 | 657 | ** [sqlite_version()] and [sqlite_source_id()]. |
| 658 | 658 | */ |
| 659 | 659 | #define SQLITE_VERSION "3.8.1" |
| 660 | 660 | #define SQLITE_VERSION_NUMBER 3008001 |
| 661 | -#define SQLITE_SOURCE_ID "2013-08-29 23:36:49 30d38cc44904d93508b87e373b2f45d5f93e556b" | |
| 661 | +#define SQLITE_SOURCE_ID "2013-08-30 06:20:23 d9c018f8155ab48df8e0e02519bba50588fe49fc" | |
| 662 | 662 | |
| 663 | 663 | /* |
| 664 | 664 | ** CAPI3REF: Run-Time Library Version Numbers |
| 665 | 665 | ** KEYWORDS: sqlite3_version, sqlite3_sourceid |
| 666 | 666 | ** |
| @@ -23594,35 +23594,10 @@ | ||
| 23594 | 23594 | if( aSyscall[i].pCurrent!=0 ) return aSyscall[i].zName; |
| 23595 | 23595 | } |
| 23596 | 23596 | return 0; |
| 23597 | 23597 | } |
| 23598 | 23598 | |
| 23599 | -/* | |
| 23600 | -** If fd is a file descriptor that would be dangerous to use for an | |
| 23601 | -** ordinary file, the close it, reopen it as /dev/null to get it out | |
| 23602 | -** of the way, then return true. | |
| 23603 | -** | |
| 23604 | -** If fd is safe, return 0. | |
| 23605 | -** | |
| 23606 | -** It is dangerous to have a database file open of file descriptors 1 or | |
| 23607 | -** 2 because those normally mean standard output and standard error. Other | |
| 23608 | -** components of the system might write directly to those file descriptors | |
| 23609 | -** and overwrite parts of the database file. Something like this happened | |
| 23610 | -** on 2013-08-29 to the canonical Fossil repository when some error caused | |
| 23611 | -** the database file to be opened on file descriptor 2 and later an assert() | |
| 23612 | -** fired and wrote error message text into file descriptor 2, corrupting | |
| 23613 | -** the repository. | |
| 23614 | -*/ | |
| 23615 | -static int isReservedFd(int fd, const char *z, int f, int m){ | |
| 23616 | - if( fd<0 || fd>2 ) return 0; | |
| 23617 | - sqlite3_log(SQLITE_WARNING, | |
| 23618 | - "attempt to open \"%s\" as file descriptor %d", z, fd); | |
| 23619 | - osClose(fd); | |
| 23620 | - (void)osOpen("/dev/null",f,m); | |
| 23621 | - return 1; | |
| 23622 | -} | |
| 23623 | - | |
| 23624 | 23599 | /* |
| 23625 | 23600 | ** Invoke open(). Do so multiple times, until it either succeeds or |
| 23626 | 23601 | ** fails for some reason other than EINTR. |
| 23627 | 23602 | ** |
| 23628 | 23603 | ** If the file creation mode "m" is 0 then set it to the default for |
| @@ -23639,17 +23614,27 @@ | ||
| 23639 | 23614 | ** recover the hot journals. |
| 23640 | 23615 | */ |
| 23641 | 23616 | static int robust_open(const char *z, int f, mode_t m){ |
| 23642 | 23617 | int fd; |
| 23643 | 23618 | mode_t m2 = m ? m : SQLITE_DEFAULT_FILE_PERMISSIONS; |
| 23644 | - do{ | |
| 23619 | + while(1){ | |
| 23645 | 23620 | #if defined(O_CLOEXEC) |
| 23646 | 23621 | fd = osOpen(z,f|O_CLOEXEC,m2); |
| 23647 | 23622 | #else |
| 23648 | 23623 | fd = osOpen(z,f,m2); |
| 23649 | 23624 | #endif |
| 23650 | - }while( (fd<0 && errno==EINTR) || isReservedFd(fd,z,f,m2) ); | |
| 23625 | + if( fd<0 ){ | |
| 23626 | + if( errno==EINTR ) continue; | |
| 23627 | + break; | |
| 23628 | + } | |
| 23629 | + if( fd>2 ) break; | |
| 23630 | + osClose(fd); | |
| 23631 | + sqlite3_log(SQLITE_WARNING, | |
| 23632 | + "attempt to open \"%s\" as file descriptor %d", z, fd); | |
| 23633 | + fd = -1; | |
| 23634 | + if( osOpen("/dev/null", f, m)<0 ) break; | |
| 23635 | + } | |
| 23651 | 23636 | if( fd>=0 ){ |
| 23652 | 23637 | if( m!=0 ){ |
| 23653 | 23638 | struct stat statbuf; |
| 23654 | 23639 | if( osFstat(fd, &statbuf)==0 |
| 23655 | 23640 | && statbuf.st_size==0 |
| 23656 | 23641 |
| --- src/sqlite3.c | |
| +++ src/sqlite3.c | |
| @@ -656,11 +656,11 @@ | |
| 656 | ** [sqlite3_libversion_number()], [sqlite3_sourceid()], |
| 657 | ** [sqlite_version()] and [sqlite_source_id()]. |
| 658 | */ |
| 659 | #define SQLITE_VERSION "3.8.1" |
| 660 | #define SQLITE_VERSION_NUMBER 3008001 |
| 661 | #define SQLITE_SOURCE_ID "2013-08-29 23:36:49 30d38cc44904d93508b87e373b2f45d5f93e556b" |
| 662 | |
| 663 | /* |
| 664 | ** CAPI3REF: Run-Time Library Version Numbers |
| 665 | ** KEYWORDS: sqlite3_version, sqlite3_sourceid |
| 666 | ** |
| @@ -23594,35 +23594,10 @@ | |
| 23594 | if( aSyscall[i].pCurrent!=0 ) return aSyscall[i].zName; |
| 23595 | } |
| 23596 | return 0; |
| 23597 | } |
| 23598 | |
| 23599 | /* |
| 23600 | ** If fd is a file descriptor that would be dangerous to use for an |
| 23601 | ** ordinary file, the close it, reopen it as /dev/null to get it out |
| 23602 | ** of the way, then return true. |
| 23603 | ** |
| 23604 | ** If fd is safe, return 0. |
| 23605 | ** |
| 23606 | ** It is dangerous to have a database file open of file descriptors 1 or |
| 23607 | ** 2 because those normally mean standard output and standard error. Other |
| 23608 | ** components of the system might write directly to those file descriptors |
| 23609 | ** and overwrite parts of the database file. Something like this happened |
| 23610 | ** on 2013-08-29 to the canonical Fossil repository when some error caused |
| 23611 | ** the database file to be opened on file descriptor 2 and later an assert() |
| 23612 | ** fired and wrote error message text into file descriptor 2, corrupting |
| 23613 | ** the repository. |
| 23614 | */ |
| 23615 | static int isReservedFd(int fd, const char *z, int f, int m){ |
| 23616 | if( fd<0 || fd>2 ) return 0; |
| 23617 | sqlite3_log(SQLITE_WARNING, |
| 23618 | "attempt to open \"%s\" as file descriptor %d", z, fd); |
| 23619 | osClose(fd); |
| 23620 | (void)osOpen("/dev/null",f,m); |
| 23621 | return 1; |
| 23622 | } |
| 23623 | |
| 23624 | /* |
| 23625 | ** Invoke open(). Do so multiple times, until it either succeeds or |
| 23626 | ** fails for some reason other than EINTR. |
| 23627 | ** |
| 23628 | ** If the file creation mode "m" is 0 then set it to the default for |
| @@ -23639,17 +23614,27 @@ | |
| 23639 | ** recover the hot journals. |
| 23640 | */ |
| 23641 | static int robust_open(const char *z, int f, mode_t m){ |
| 23642 | int fd; |
| 23643 | mode_t m2 = m ? m : SQLITE_DEFAULT_FILE_PERMISSIONS; |
| 23644 | do{ |
| 23645 | #if defined(O_CLOEXEC) |
| 23646 | fd = osOpen(z,f|O_CLOEXEC,m2); |
| 23647 | #else |
| 23648 | fd = osOpen(z,f,m2); |
| 23649 | #endif |
| 23650 | }while( (fd<0 && errno==EINTR) || isReservedFd(fd,z,f,m2) ); |
| 23651 | if( fd>=0 ){ |
| 23652 | if( m!=0 ){ |
| 23653 | struct stat statbuf; |
| 23654 | if( osFstat(fd, &statbuf)==0 |
| 23655 | && statbuf.st_size==0 |
| 23656 |
| --- src/sqlite3.c | |
| +++ src/sqlite3.c | |
| @@ -656,11 +656,11 @@ | |
| 656 | ** [sqlite3_libversion_number()], [sqlite3_sourceid()], |
| 657 | ** [sqlite_version()] and [sqlite_source_id()]. |
| 658 | */ |
| 659 | #define SQLITE_VERSION "3.8.1" |
| 660 | #define SQLITE_VERSION_NUMBER 3008001 |
| 661 | #define SQLITE_SOURCE_ID "2013-08-30 06:20:23 d9c018f8155ab48df8e0e02519bba50588fe49fc" |
| 662 | |
| 663 | /* |
| 664 | ** CAPI3REF: Run-Time Library Version Numbers |
| 665 | ** KEYWORDS: sqlite3_version, sqlite3_sourceid |
| 666 | ** |
| @@ -23594,35 +23594,10 @@ | |
| 23594 | if( aSyscall[i].pCurrent!=0 ) return aSyscall[i].zName; |
| 23595 | } |
| 23596 | return 0; |
| 23597 | } |
| 23598 | |
| 23599 | /* |
| 23600 | ** Invoke open(). Do so multiple times, until it either succeeds or |
| 23601 | ** fails for some reason other than EINTR. |
| 23602 | ** |
| 23603 | ** If the file creation mode "m" is 0 then set it to the default for |
| @@ -23639,17 +23614,27 @@ | |
| 23614 | ** recover the hot journals. |
| 23615 | */ |
| 23616 | static int robust_open(const char *z, int f, mode_t m){ |
| 23617 | int fd; |
| 23618 | mode_t m2 = m ? m : SQLITE_DEFAULT_FILE_PERMISSIONS; |
| 23619 | while(1){ |
| 23620 | #if defined(O_CLOEXEC) |
| 23621 | fd = osOpen(z,f|O_CLOEXEC,m2); |
| 23622 | #else |
| 23623 | fd = osOpen(z,f,m2); |
| 23624 | #endif |
| 23625 | if( fd<0 ){ |
| 23626 | if( errno==EINTR ) continue; |
| 23627 | break; |
| 23628 | } |
| 23629 | if( fd>2 ) break; |
| 23630 | osClose(fd); |
| 23631 | sqlite3_log(SQLITE_WARNING, |
| 23632 | "attempt to open \"%s\" as file descriptor %d", z, fd); |
| 23633 | fd = -1; |
| 23634 | if( osOpen("/dev/null", f, m)<0 ) break; |
| 23635 | } |
| 23636 | if( fd>=0 ){ |
| 23637 | if( m!=0 ){ |
| 23638 | struct stat statbuf; |
| 23639 | if( osFstat(fd, &statbuf)==0 |
| 23640 | && statbuf.st_size==0 |
| 23641 |
+1
-1
| --- src/sqlite3.h | ||
| +++ src/sqlite3.h | ||
| @@ -107,11 +107,11 @@ | ||
| 107 | 107 | ** [sqlite3_libversion_number()], [sqlite3_sourceid()], |
| 108 | 108 | ** [sqlite_version()] and [sqlite_source_id()]. |
| 109 | 109 | */ |
| 110 | 110 | #define SQLITE_VERSION "3.8.1" |
| 111 | 111 | #define SQLITE_VERSION_NUMBER 3008001 |
| 112 | -#define SQLITE_SOURCE_ID "2013-08-29 23:36:49 30d38cc44904d93508b87e373b2f45d5f93e556b" | |
| 112 | +#define SQLITE_SOURCE_ID "2013-08-30 06:20:23 d9c018f8155ab48df8e0e02519bba50588fe49fc" | |
| 113 | 113 | |
| 114 | 114 | /* |
| 115 | 115 | ** CAPI3REF: Run-Time Library Version Numbers |
| 116 | 116 | ** KEYWORDS: sqlite3_version, sqlite3_sourceid |
| 117 | 117 | ** |
| 118 | 118 |
| --- src/sqlite3.h | |
| +++ src/sqlite3.h | |
| @@ -107,11 +107,11 @@ | |
| 107 | ** [sqlite3_libversion_number()], [sqlite3_sourceid()], |
| 108 | ** [sqlite_version()] and [sqlite_source_id()]. |
| 109 | */ |
| 110 | #define SQLITE_VERSION "3.8.1" |
| 111 | #define SQLITE_VERSION_NUMBER 3008001 |
| 112 | #define SQLITE_SOURCE_ID "2013-08-29 23:36:49 30d38cc44904d93508b87e373b2f45d5f93e556b" |
| 113 | |
| 114 | /* |
| 115 | ** CAPI3REF: Run-Time Library Version Numbers |
| 116 | ** KEYWORDS: sqlite3_version, sqlite3_sourceid |
| 117 | ** |
| 118 |
| --- src/sqlite3.h | |
| +++ src/sqlite3.h | |
| @@ -107,11 +107,11 @@ | |
| 107 | ** [sqlite3_libversion_number()], [sqlite3_sourceid()], |
| 108 | ** [sqlite_version()] and [sqlite_source_id()]. |
| 109 | */ |
| 110 | #define SQLITE_VERSION "3.8.1" |
| 111 | #define SQLITE_VERSION_NUMBER 3008001 |
| 112 | #define SQLITE_SOURCE_ID "2013-08-30 06:20:23 d9c018f8155ab48df8e0e02519bba50588fe49fc" |
| 113 | |
| 114 | /* |
| 115 | ** CAPI3REF: Run-Time Library Version Numbers |
| 116 | ** KEYWORDS: sqlite3_version, sqlite3_sourceid |
| 117 | ** |
| 118 |