Message388264
The module level connect method is guarded by PySys_Audit(), but sqlite3.Connection.__init__() is not. It is possible to bypass the module level connect() method simply by creating a new sqlite3.Connection object directly.
Easily fixed by either moving the PySys_Audit() check to pysqlite_connection_init(), or by adding an extra check in pysqlite_connection_init().
>>> import sqlite3, sys
>>> def hook(s, e):
... if s == 'sqlite3.connect':
... raise PermissionError
...
>>> sys.addaudithook(hook)
>>> sqlite3.connect(':memory:')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<stdin>", line 3, in hook
PermissionError
>>> sqlite3.Connection(':memory:')
<sqlite3.Connection object at 0x7f94b0157a80> |
|
Date |
User |
Action |
Args |
2021-03-08 12:53:59 | erlendaasland | set | recipients:
+ erlendaasland, berker.peksag, steve.dower |
2021-03-08 12:53:59 | erlendaasland | set | messageid: <1615208039.92.0.863639207352.issue43434@roundup.psfhosted.org> |
2021-03-08 12:53:59 | erlendaasland | link | issue43434 messages |
2021-03-08 12:53:59 | erlendaasland | create | |
|