➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2021-03-08 12:53 by erlendaasland, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| audit.py | erlendaasland, 2021-03-08 12:53 | |||
| patch.diff | erlendaasland, 2021-03-08 12:54 | |||
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 25818 | merged | erlendaasland, 2021-05-02 16:04 | |
| PR 25822 | merged | erlendaasland, 2021-05-02 21:43 | |
| PR 25823 | merged | erlendaasland, 2021-05-02 21:46 | |
| PR 25825 | merged | erlendaasland, 2021-05-02 22:19 | |
| PR 25826 | closed | miss-islington, 2021-05-02 22:43 | |
| Messages (13) | |||
|---|---|---|---|
| msg388264 - (view) | Author: Erlend E. Aasland (erlendaasland) *  |
Date: 2021-03-08 12:53 | |
The module level connect method is guarded by PySys_Audit(), but sqlite3.Connection.__init__() is not. It is possible to bypass the module level connect() method simply by creating a new sqlite3.Connection object directly.
Easily fixed by either moving the PySys_Audit() check to pysqlite_connection_init(), or by adding an extra check in pysqlite_connection_init().
>>> import sqlite3, sys
>>> def hook(s, e):
... if s == 'sqlite3.connect':
... raise PermissionError
...
>>> sys.addaudithook(hook)
>>> sqlite3.connect(':memory:')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<stdin>", line 3, in hook
PermissionError
>>> sqlite3.Connection(':memory:')
<sqlite3.Connection object at 0x7f94b0157a80>
|
|||
| msg392393 - (view) | Author: Erlend E. Aasland (erlendaasland) * |
Date: 2021-04-30 08:47 | |
Steve, is it worth it to improve this? |
|||
| msg392702 - (view) | Author: Steve Dower (steve.dower) *  |
Date: 2021-05-02 14:39 | |
Yes, let's move it into the init function. |
|||
| msg392709 - (view) | Author: Erlend E. Aasland (erlendaasland) * |
Date: 2021-05-02 16:17 | |
The PR accidentally fixes a bug in GH-25246 (bpo-43762): The object passed to PySys_Audit() is now the connection object, not the module object. |
|||
| msg392724 - (view) | Author: Erlend E. Aasland (erlendaasland) * |
Date: 2021-05-02 20:26 | |
Steve, can we get this in before beta1 (bco. the bugfix)? |
|||
| msg392735 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2021-05-02 21:25 | |
New changeset c96cc089f60d2bf7e003c27413c3239ee9de2990 by Erlend Egeberg Aasland in branch 'master': bpo-43434: Move sqlite3.connect audit events to sqlite3.Connection.__init__ (GH-25818) https://github.com/python/cpython/commit/c96cc089f60d2bf7e003c27413c3239ee9de2990 |
|||
| msg392736 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2021-05-02 21:25 | |
We could get this one in after beta 1 anyway, but sure, it's in. The backports are going to have to be manual, I suspect... |
|||
| msg392737 - (view) | Author: Erlend E. Aasland (erlendaasland) * |
Date: 2021-05-02 21:29 | |
Thanks! :) I'll fix the backports. |
|||
| msg392742 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2021-05-02 22:04 | |
Thanks, Erlend! Appreciate how quickly you got onto that, and the quality of your work. |
|||
| msg392743 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2021-05-02 22:11 | |
New changeset cbb7b9ed4a6069a2cb2e2f809926c2cfa332a493 by Erlend Egeberg Aasland in branch 'master': bpo-43434: Clean up sqlite3.connect() after GH-25818 (GH-25823) https://github.com/python/cpython/commit/cbb7b9ed4a6069a2cb2e2f809926c2cfa332a493 |
|||
| msg392745 - (view) | Author: Erlend E. Aasland (erlendaasland) * |
Date: 2021-05-02 22:29 | |
Thanks, Steve, that means a lot! Glad to help. Thank you for getting it into beta1. Having the new event out there with the wrong object passed to it would have been a tiny bit embarrassing :) |
|||
| msg392748 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2021-05-02 22:43 | |
New changeset ad73d1657ca3591b1dd1d15bb80ce83ca7fc3223 by Erlend Egeberg Aasland in branch '3.9': bpo-43434: Move sqlite3.connect audit event to sqlite3.Connection.__init__ (GH-25818) https://github.com/python/cpython/commit/ad73d1657ca3591b1dd1d15bb80ce83ca7fc3223 |
|||
| msg392749 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2021-05-02 22:55 | |
New changeset 10665ac37313560fe87460cf4a5c26677049bf62 by Erlend Egeberg Aasland in branch '3.8': bpo-43434: Move sqlite3.connect audit events to sqlite3.Connection.__init__ (GH-25818) https://github.com/python/cpython/commit/10665ac37313560fe87460cf4a5c26677049bf62 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:42 | admin | set | github: 87600 |
| 2021-05-02 22:56:58 | steve.dower | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2021-05-02 22:55:36 | steve.dower | set | messages: + msg392749 |
| 2021-05-02 22:43:29 | miss-islington | set | nosy:
+ miss-islington pull_requests: + pull_request24514 |
| 2021-05-02 22:43:09 | steve.dower | set | messages: + msg392748 |
| 2021-05-02 22:29:18 | erlendaasland | set | messages: + msg392745 |
| 2021-05-02 22:19:01 | erlendaasland | set | pull_requests: + pull_request24513 |
| 2021-05-02 22:11:01 | steve.dower | set | messages: + msg392743 |
| 2021-05-02 22:04:32 | steve.dower | set | messages: + msg392742 |
| 2021-05-02 21:46:44 | erlendaasland | set | pull_requests: + pull_request24510 |
| 2021-05-02 21:43:48 | erlendaasland | set | stage: backport needed -> patch review pull_requests: + pull_request24509 |
| 2021-05-02 21:29:45 | erlendaasland | set | messages: + msg392737 |
| 2021-05-02 21:25:47 | steve.dower | set | messages:
+ msg392736 stage: patch review -> backport needed |
| 2021-05-02 21:25:25 | steve.dower | set | messages: + msg392735 |
| 2021-05-02 20:26:41 | erlendaasland | set | messages: + msg392724 |
| 2021-05-02 16:17:12 | erlendaasland | set | messages: + msg392709 |
| 2021-05-02 16:04:16 | erlendaasland | set | stage: patch review pull_requests: + pull_request24504 |
| 2021-05-02 14:39:02 | steve.dower | set | messages: + msg392702 |
| 2021-04-30 08:47:28 | erlendaasland | set | messages: + msg392393 |
| 2021-03-08 12:54:11 | erlendaasland | set | files:
+ patch.diff keywords: + patch |
| 2021-03-08 12:53:59 | erlendaasland | create | |