On 18 Dec 2018, at 9:00pm, Peter da Silva <res...@gmail.com> wrote: > I have to say I'm pretty boggled that Chrome allows hostile users to feed > code directly into an SQL interpreter that wasn't written from the ground up > to be secure.
Chrome has problems far more serious than that. And one can do all sorts of nasty things in Chrome extensions. It's difficult for the developers of Chrome to both prevent exploits by webmaster and extension writers, and also allow those people to do wonderful, entirely legitimate, things. At the level of making an API call it's not possible for the called function to work out whether it's being used legitimately or not without a lot of extra processing which would make it so slow nobody would use it. The tencent.com report is not entirely straightforward about precisely where the problem lies, and what an exploit could do. It would be just as useful a report if it mentioned the problem in Chrome and avoided all mention of SQLite. And implying that SQLite ever had a remote code execution problem is incorrect. Simon. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
