New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks #87600
Comments
The module level connect method is guarded by PySys_Audit(), but sqlite3.Connection.__init__() is not. It is possible to bypass the module level connect() method simply by creating a new sqlite3.Connection object directly. Easily fixed by either moving the PySys_Audit() check to pysqlite_connection_init(), or by adding an extra check in pysqlite_connection_init(). >>> import sqlite3, sys
>>> def hook(s, e):
... if s == 'sqlite3.connect':
... raise PermissionError
...
>>> sys.addaudithook(hook)
>>> sqlite3.connect(':memory:')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<stdin>", line 3, in hook
PermissionError
>>> sqlite3.Connection(':memory:')
<sqlite3.Connection object at 0x7f94b0157a80> |
Steve, is it worth it to improve this? |
Yes, let's move it into the init function. |
Steve, can we get this in before beta1 (bco. the bugfix)? |
We could get this one in after beta 1 anyway, but sure, it's in. The backports are going to have to be manual, I suspect... |
Thanks! :) I'll fix the backports. |
Thanks, Erlend! Appreciate how quickly you got onto that, and the quality of your work. |
Thanks, Steve, that means a lot! Glad to help. Thank you for getting it into beta1. Having the new event out there with the wrong object passed to it would have been a tiny bit embarrassing :) |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: