classification
Title: [sqlite3] Use SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION iso. sqlite3_enable_load_extension()
Type: security Stage:
Components: Extension Modules Versions: Python 3.10
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: berker.peksag, christian.heimes, erlendaasland
Priority: normal Keywords: patch

Created on 2021-04-07 11:36 by erlendaasland, last changed 2021-04-07 13:15 by erlendaasland.

Files
File name Uploaded Description Edit
patch.diff erlendaasland, 2021-04-07 13:15
Messages (4)
msg390422 - (view) Author: Erlend Egeberg Aasland (erlendaasland) * Date: 2021-04-07 11:36
Quoting from the SQLite docs:
"It is recommended that extension loading be enabled using the SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION method rather than this interface, so the load_extension() SQL function remains disabled. This will prevent SQL injections from giving attackers access to extension loading capabilities."

Suggesting to make sqlite3.Connection.enable_load_extension a module level function, and use sqlite3_db_config() iso. sqlite3_enable_load_extension(). We could add an optional argument for also enabling the SQL function.

1. Introduce sqlite3.enable_load_extension(enable, /, enable_sql_api=False)
2. Add deprecation warning to sqlite3.Connection.enable_load_extension()
3. In Python 3.12, remove sqlite3.Connection.enable_load_extension()
msg390427 - (view) Author: Erlend Egeberg Aasland (erlendaasland) * Date: 2021-04-07 12:29
> We could add an optional argument for also enabling the SQL function.

Actually, using sqlite3_db_config(SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION, ...) can only enable the C API, not the SQL API, so adding an optional argument to sqlite3.enable_load_extension() makes no sense.
msg390428 - (view) Author: Erlend Egeberg Aasland (erlendaasland) * Date: 2021-04-07 12:36
> Suggesting to make sqlite3.Connection.enable_load_extension a module level function

This actually needs to be a sqlite3.Connection method, thus altering the behaviour of the current function.
msg390431 - (view) Author: Erlend Egeberg Aasland (erlendaasland) * Date: 2021-04-07 13:15
Attached patch alters the behaviour of sqlite3.Connection.enable_load_extension() to never enabling the SQL API.

This may require a deprecation period and a warning since it's a change in behaviour, but since enable_load_extention() is not enabled by default, we can perhaps do without the warning?
History
Date User Action Args
2021-04-07 13:15:07erlendaaslandsetfiles: + patch.diff
keywords: + patch
messages: + msg390431
2021-04-07 12:36:04erlendaaslandsetmessages: + msg390428
2021-04-07 12:29:47erlendaaslandsetmessages: + msg390427
2021-04-07 11:36:12erlendaaslandcreate