Add audit events for loading of sqlite3 extensions #87928
Comments
|
If Python is configured with --enable-loadable-sqlite-extensions, it is possible to load third party SQLite extensions (shared libraries/DLL’s) via the sqlite3 extension module. When enabled, the sqlite3.Connection.enable_load_extension() class method will enable the loading of third party extensions via SQL queries, using the SQL function load_extension(). It also enables loading extension via C, using the sqlite3.Connection.load_extension() class method. Suggesting to add the following audit event names to respectively the sqlite3.Connection.enable_load_extension() and sqlite3.Connection.load_extension() methods:
Ref. |
erlend-aasland
added
3.10
|
Left some minor suggestions on the PR, but wanted to copy this comment here as well: I wonder if it's worth returning the connection object when it's created (through a new event in module.c) and then reference it in these events? That can then correlate these (and other) events with the file - we do this already for sockets. After some thought, I think it's probably not worth it for these ones. The important information is in the extension being loaded, and it doesn't really relate to the connection at all. However, if we wanted to add it later, we couldn't. So might be worth doing now? |
|
Good question. sqlite3_load_extension() loads an extension into a database connection, so it would make sense to also pass the connection object. I'd say we do it; it's a small change, and as you say: if we wanted to add it later, we couldn't. Ref. |
|
Something like the attached patch, if I understand you correctly? |
|
Maybe it's better to send the event only if the connection succeeded: diff --git a/Modules/_sqlite/module.c b/Modules/_sqlite/module.c
index 8dbfa7b38a..0220978cf2 100644
--- a/Modules/_sqlite/module.c
+++ b/Modules/_sqlite/module.c
@@ -97,6 +97,12 @@ static PyObject* module_connect(PyObject* self, PyObject* args, PyObject*
result = PyObject_Call(factory, args, kwargs);
+ if (result) {
+ if (PySys_Audit("sqlite3.connected", "O", self) < 0) {
+ return -1;
+ }
+ }
+
return result;
} |
|
Yeah, along those lines. I believe the event is ".../result" in other places, just to be clear that it's not a function with that name. Also, don't forget to clean up when returning early from the connected event. We don't want to leak the connection object if the hook raises an error. |
|
Ah, yes thanks for the heads up! I'll update the PR. |
|
Thanks for the PR! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: