[blfs-dev] sqlite: Remove `SQLITE_ENABLE_FTS3_TOKENIZER` from configuration

Fri, 03 Jan 2020 07:30:48 -0800 

Dear Beyond Linux From Scratch folks,


The configuration instructions for SQLite [1] still enable the two-argument
version of the fts3_tokenizer() interface.

    -DSQLITE_ENABLE_FTS3_TOKENIZER=1

The command explanations do not contain that.

> CFLAGS="-g -O2 -DSQLITE_ENABLE_FTS3=1 -DSQLITE_ENABLE_FTS4=1
> -DSQLITE_ENABLE_COLUMN_METADATA=1 -DSQLITE_SECURE_DELETE
> -DSQLITE_ENABLE_UNLOCK_NOTIFY=1 -DSQLITE_ENABLE_DBSTAT_VTAB=1":
> Applications such as Firefox require secure delete and enable unlock
> notify to be turned on. Since firefox-41 the dbstat virtual table and
> FTS3/4 are also required. The only way to do this is to include them
> in the CFLAGS. By default, these are set to "-g -O2" so we specify
> that to preserve those settings. You may, of course, wish to omit the
> '-g' if you do not wish to create debugging information. For further
> information on what can be specified see
> http://www.sqlite.org/compile.html.

So, I wonder if that is an oversight, as the SQLite upstream say there are
security concerns.

> SQLITE_ENABLE_FTS3_TOKENIZER
> 
> This option enables the two-argument version of the fts3_tokenizer()
>  interface. The second argument to fts3_tokenizer() is suppose to be
> a pointer to a function (encoded as a BLOB) that implements an 
> application defined tokenizer. If hostile actors are able to run the
>  two-argument version of fts3_tokenizer() with an arbitrary second 
> argument, they could use crash or take control of the process.
> 
> Because of security concerns, the two-argument fts3_tokenizer() 
> feature was disabled beginning with Version 3.11.0 (2016-02-15) 
> unless this compile-time option is used. Version 3.12.0 (2016-03-29)
>  added the 
> sqlite3_db_config(db,SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER,1,0) 
> interface that activates the two-argument version of
> fts3_tokenizer() for a specific database connection at run-time.


Kind regards,

Paul


[1]: http://www.linuxfromscratch.org/blfs/view/svn/server/sqlite.html
[2]: https://www.sqlite.org/compile.html

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to