A possible security issue exists with pooled SQLite connection and the ATTACH/DETACH statements. Below is a patch that should correct it, can people test that it doesn't impact performance too much?
Index: trac/db/sqlite_backend.py
===================================================================
--- trac/db/sqlite_backend.py (revision 6324)
+++ trac/db/sqlite_backend.py (working copy)
@@ -174,6 +174,12 @@
cnx = sqlite.connect(path, detect_types=sqlite.PARSE_DECLTYPES,
check_same_thread=sqlite_version < 30301,
timeout=timeout)
+
+ def authz_callback(action, arg1, arg2, dbname, source):
+ if action == sqlite.SQLITE_ATTACH or action ==
sqlite.SQLITE_DETACH:
+ return sqlite.SQLITE_DENY
+ return sqlite.SQLITE_OK
+ cnx.set_authorizer(authz_callback)
else:
timeout = int(params.get('timeout', 10000))
cnx = sqlite.connect(path, timeout=timeout, encoding='utf-8')
signature.asc
Description: OpenPGP digital signature
