On 27 Aug 2019, at 9:40pm, Jens Alfke <j...@mooseyard.com> wrote: > My question was simply whether SQLite itself is considered safe when > operating on an untrusted database file.
A worthwhile question which I discussed a little in an earlier post. The SQLite devs take this question extremely seriously. SQLite is not meant to crash. SQLite is not meant to execute untrusted code. It should not be possible for the contents of any file SQLite opens to influence the way SQLite works. You will see a fast, high-quality response to identification of any such vulnerability, as has happened in the past. I'll add a note here about what 'untrusted' means. A programmer can tell SQLite to execute external code. This can be done using external functions, external collations, external routines (e.g. the busy handler callback), and other things. These things must be possible for SQlite to work properly. However having SQLite execute external code is something that only the programmer should be able to do. It should not be possible to make it happen using a carefully-crafted database file, or even through some action by the user. And as far as we know, it isn't. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
