> On Aug 27, 2019, at 7:06 AM, Philip Bennefall <phi...@blastbay.com> wrote: > > There is the sqlar archive format, which you can test using the official > sqlite3 command line shell. There is also a library for it as part of the > Sqlite3 repository.
"An SQLite Archive is an ordinary SQLite database file that contains the following table as part of its schema…" Archive files often get transferred between people. Using this format for that purpose would involve opening and reading untrusted SQLite database files. Is that safe? Could maliciously corrupting the schema or other metadata of a database cause security problems for the client accessing the database? (I'm thinking not just of a separate `sqlite3` process accessing the archive, but also of the archiving code running inside some other process — consider a web browser or file manager extracting a sqlar archive.) There were some security issues that came up recently involving the Chrome browser allowing untrusted JS code to run SQLite queries on local database files. But the scenario I'm thinking of is kind of the reverse — the queries are trusted but the database itself isn't. —Jens _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
