New submission from Erlend Egeberg Aasland <erlend.aasl...@innova.no>:
Quoting from the SQLite docs: "It is recommended that extension loading be enabled using the SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION method rather than this interface, so the load_extension() SQL function remains disabled. This will prevent SQL injections from giving attackers access to extension loading capabilities." Suggesting to make sqlite3.Connection.enable_load_extension a module level function, and use sqlite3_db_config() iso. sqlite3_enable_load_extension(). We could add an optional argument for also enabling the SQL function. 1. Introduce sqlite3.enable_load_extension(enable, /, enable_sql_api=False) 2. Add deprecation warning to sqlite3.Connection.enable_load_extension() 3. In Python 3.12, remove sqlite3.Connection.enable_load_extension() ---------- components: Extension Modules messages: 390422 nosy: berker.peksag, christian.heimes, erlendaasland priority: normal severity: normal status: open title: [sqlite3] Use SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION iso. sqlite3_enable_load_extension() type: security versions: Python 3.10 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue43763> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
