[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Steve Dower 


Change by Steve Dower :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Steve Dower 


Steve Dower  added the comment:


New changeset 10665ac37313560fe87460cf4a5c26677049bf62 by Erlend Egeberg 
Aasland in branch '3.8':
bpo-43434: Move sqlite3.connect audit events to sqlite3.Connection.__init__ 
(GH-25818)
https://github.com/python/cpython/commit/10665ac37313560fe87460cf4a5c26677049bf62


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread miss-islington 


Change by miss-islington :


--
nosy: +miss-islington
nosy_count: 3.0 -> 4.0
pull_requests: +24514
pull_request: https://github.com/python/cpython/pull/25826

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Steve Dower 


Steve Dower  added the comment:


New changeset ad73d1657ca3591b1dd1d15bb80ce83ca7fc3223 by Erlend Egeberg 
Aasland in branch '3.9':
bpo-43434: Move sqlite3.connect audit event to sqlite3.Connection.__init__ 
(GH-25818)
https://github.com/python/cpython/commit/ad73d1657ca3591b1dd1d15bb80ce83ca7fc3223


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Erlend Egeberg Aasland 


Erlend Egeberg Aasland  added the comment:

Thanks, Steve, that means a lot! Glad to help. Thank you for getting it into 
beta1. Having the new event out there with the wrong object passed to it would 
have been a tiny bit embarrassing :)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Erlend Egeberg Aasland 


Change by Erlend Egeberg Aasland :


--
pull_requests: +24513
pull_request: https://github.com/python/cpython/pull/25825

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Steve Dower 


Steve Dower  added the comment:


New changeset cbb7b9ed4a6069a2cb2e2f809926c2cfa332a493 by Erlend Egeberg 
Aasland in branch 'master':
bpo-43434: Clean up sqlite3.connect() after GH-25818 (GH-25823)
https://github.com/python/cpython/commit/cbb7b9ed4a6069a2cb2e2f809926c2cfa332a493


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Steve Dower 


Steve Dower  added the comment:

Thanks, Erlend! Appreciate how quickly you got onto that, and the quality of 
your work.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Erlend Egeberg Aasland 


Change by Erlend Egeberg Aasland :


--
pull_requests: +24510
pull_request: https://github.com/python/cpython/pull/25823

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Erlend Egeberg Aasland 


Change by Erlend Egeberg Aasland :


--
pull_requests: +24509
stage: backport needed -> patch review
pull_request: https://github.com/python/cpython/pull/25822

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Erlend Egeberg Aasland 


Erlend Egeberg Aasland  added the comment:

Thanks! :) I'll fix the backports.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Steve Dower 


Steve Dower  added the comment:

We could get this one in after beta 1 anyway, but sure, it's in.

The backports are going to have to be manual, I suspect...

--
stage: patch review -> backport needed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Steve Dower 


Steve Dower  added the comment:


New changeset c96cc089f60d2bf7e003c27413c3239ee9de2990 by Erlend Egeberg 
Aasland in branch 'master':
bpo-43434: Move sqlite3.connect audit events to sqlite3.Connection.__init__ 
(GH-25818)
https://github.com/python/cpython/commit/c96cc089f60d2bf7e003c27413c3239ee9de2990


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Erlend Egeberg Aasland 


Erlend Egeberg Aasland  added the comment:

Steve, can we get this in before beta1 (bco. the bugfix)?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Erlend Egeberg Aasland 


Erlend Egeberg Aasland  added the comment:

The PR accidentally fixes a bug in GH-25246 (bpo-43762):
The object passed to PySys_Audit() is now the connection object, not the module 
object.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Erlend Egeberg Aasland 


Change by Erlend Egeberg Aasland :


--
pull_requests: +24504
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/25818

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-05-02 Thread Steve Dower 


Steve Dower  added the comment:

Yes, let's move it into the init function.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-04-30 Thread Erlend Egeberg Aasland 


Erlend Egeberg Aasland  added the comment:

Steve, is it worth it to improve this?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-03-08 Thread Erlend Egeberg Aasland 


Change by Erlend Egeberg Aasland :


--
keywords: +patch
Added file: https://bugs.python.org/file49858/patch.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks

2021-03-08 Thread Erlend Egeberg Aasland 


New submission from Erlend Egeberg Aasland :

The module level connect method is guarded by PySys_Audit(), but 
sqlite3.Connection.__init__() is not. It is possible to bypass the module level 
connect() method simply by creating a new sqlite3.Connection object directly.

Easily fixed by either moving the PySys_Audit() check to 
pysqlite_connection_init(), or by adding an extra check in 
pysqlite_connection_init().


>>> import sqlite3, sys
>>> def hook(s, e):
... if s == 'sqlite3.connect':
... raise PermissionError
... 
>>> sys.addaudithook(hook)
>>> sqlite3.connect(':memory:')
Traceback (most recent call last):
  File "", line 1, in 
  File "", line 3, in hook
PermissionError
>>> sqlite3.Connection(':memory:')


--
components: Library (Lib)
files: audit.py
messages: 388264
nosy: berker.peksag, erlendaasland, steve.dower
priority: normal
severity: normal
status: open
title: sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks
type: security
versions: Python 3.10, Python 3.8, Python 3.9
Added file: https://bugs.python.org/file49857/audit.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com