sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks #87600
Comments
|
The module level connect method is guarded by PySys_Audit(), but sqlite3.Connection.__init__() is not. It is possible to bypass the module level connect() method simply by creating a new sqlite3.Connection object directly. Easily fixed by either moving the PySys_Audit() check to pysqlite_connection_init(), or by adding an extra check in pysqlite_connection_init(). >>> import sqlite3, sys
>>> def hook(s, e):
... if s == 'sqlite3.connect':
... raise PermissionError
...
>>> sys.addaudithook(hook)
>>> sqlite3.connect(':memory:')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<stdin>", line 3, in hook
PermissionError
>>> sqlite3.Connection(':memory:')
<sqlite3.Connection object at 0x7f94b0157a80> |
erlend-aasland
added
3.8
|
Steve, is it worth it to improve this? |
|
Yes, let's move it into the init function. |
|
Steve, can we get this in before beta1 (bco. the bugfix)? |
|
We could get this one in after beta 1 anyway, but sure, it's in. The backports are going to have to be manual, I suspect... |
|
Thanks! :) I'll fix the backports. |
|
Thanks, Erlend! Appreciate how quickly you got onto that, and the quality of your work. |
|
Thanks, Steve, that means a lot! Glad to help. Thank you for getting it into beta1. Having the new event out there with the wrong object passed to it would have been a tiny bit embarrassing :) |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: