On Tuesday, 27 August, 2019 12:47, Jens Alfke <j...@mooseyard.com> wrote:
>Archive files often get transferred between people. Using this format >for that purpose would involve opening and reading untrusted SQLite >database files. Is that safe? Could maliciously corrupting the schema >or other metadata of a database cause security problems for the >client accessing the database? Everything that has been touched by a third-party is inherently untrustworthy. Thus it is and thus it has always been. Even ZIP files have a database schema that can be manipulated as does everything else. There is no difference other than the misplaced assumption of trust. >(I'm thinking not just of a separate `sqlite3` process accessing the >archive, but also of the archiving code running inside some other >process — consider a web browser or file manager extracting a sqlar >archive.) And how is this in anyway different from a zip process, or a rar processess or an uncompress process or any or a number of possibly trustworthy programs processing data coming from an untrustworthy source? (which includes things like Web Browsers, Video Players, and on and on) >There were some security issues that came up recently involving the >Chrome browser allowing untrusted JS code to run SQLite queries on >local database files. But the scenario I'm thinking of is kind of the >reverse — the queries are trusted but the database itself isn't. Chrome is a Google product. Google's only revenue source is selling information that they have obtained from third-parties by clandestine means. As such, nothing which bears a Google (or Alphabet) name can be considered in any way trustworthy. One must assign trust having an eye to this fact and evaluate all statements made in light of this truth. So Google Chrome permitting untrusted JS to run SQLite queries on local database files should be expected and is not a security problem. How else would Google make money? -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
