On Mon, 5 Feb 2018, Jens Alfke wrote:
You can very easily prove that SQLite contains no networking code,
so it’s incapable of accessing any network. Just search through
sqlite3.c looking for the names of the system calls needed to open a
socket; they don’t appear. Or more rigorously, use a
(platform-specific) tool to dump the list of external functions
called by the compiled SQLite library.
The default configuration of SQLite does have the possibilty of
executing network code since it is able to load external shared
libraries as modules and the modules can contain arbitrary code.
The security of SQLite depends on how it is built, the environment in
which it is used, and the arguments supplied to it.
If arbitrary SQL commands can be sent into SQLite, then good luck and
best wishes regarding security.
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
sqlite-users mailing list