On Mon, 5 Feb 2018, Jens Alfke wrote:

You can very easily prove that SQLite contains no networking code, so it’s incapable of accessing any network. Just search through sqlite3.c looking for the names of the system calls needed to open a socket; they don’t appear. Or more rigorously, use a (platform-specific) tool to dump the list of external functions called by the compiled SQLite library.

The default configuration of SQLite does have the possibilty of executing network code since it is able to load external shared libraries as modules and the modules can contain arbitrary code.

The security of SQLite depends on how it is built, the environment in which it is used, and the arguments supplied to it.

If arbitrary SQL commands can be sent into SQLite, then good luck and best wishes regarding security.

Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
sqlite-users mailing list

Reply via email to