This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author erlendaasland
Recipients berker.peksag, erlendaasland, steve.dower
Date 2021-03-08.12:53:59
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1615208039.92.0.863639207352.issue43434@roundup.psfhosted.org>
In-reply-to
Content
The module level connect method is guarded by PySys_Audit(), but sqlite3.Connection.__init__() is not. It is possible to bypass the module level connect() method simply by creating a new sqlite3.Connection object directly.

Easily fixed by either moving the PySys_Audit() check to pysqlite_connection_init(), or by adding an extra check in pysqlite_connection_init().


>>> import sqlite3, sys
>>> def hook(s, e):
...     if s == 'sqlite3.connect':
...             raise PermissionError
... 
>>> sys.addaudithook(hook)
>>> sqlite3.connect(':memory:')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<stdin>", line 3, in hook
PermissionError
>>> sqlite3.Connection(':memory:')
<sqlite3.Connection object at 0x7f94b0157a80>
History
Date User Action Args
2021-03-08 12:53:59erlendaaslandsetrecipients: + erlendaasland, berker.peksag, steve.dower
2021-03-08 12:53:59erlendaaslandsetmessageid: <1615208039.92.0.863639207352.issue43434@roundup.psfhosted.org>
2021-03-08 12:53:59erlendaaslandlinkissue43434 messages
2021-03-08 12:53:59erlendaaslandcreate