On 27 Aug 2019, at 7:47pm, Jens Alfke <j...@mooseyard.com> wrote: > Archive files often get transferred between people. Using this format for > that purpose would involve opening and reading untrusted SQLite database > files. Is that safe? Could maliciously corrupting the schema or other > metadata of a database cause security problems for the client accessing the > database?
You're thinking of an exploit like a ZIP bomb. This is a small, maliciously-constructed ZIP file which expands into a huge amount of contents. A well-known example is a 42 kilobyte zip file which unzips into 4.5 petabytes of contents. Other problems include overwriting in-archive filenames with illegal characters like a colon and a slash, then relying on oversights in OS routines to do nasty things to your file structure. I'm going to let the devs handle this one. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
