Noah Kantrowitz wrote: > Christian Boos wrote: > >> Christian Boos wrote: >> >> >>> Christopher Lenz wrote: >>> >>> >>> >>>> On 13.12.2007, at 11:37, Noah Kantrowitz wrote: >>>> >>>> >>>> >>>> >>>>> A possible security issue exists with pooled SQLite connection and the >>>>> ATTACH/DETACH statements. >>>>> >>>>> >>>>> >> As an afterthought: "with pooled SQLite connection" - maybe Noah had >> another vulnerability in mind. >> Anyway, this topic should have been discussed on trac-security. >> >> > I am not on that list as far as I know. The pooled part is because you > can only run one statement in a given report so this would require > multiple coordinated reports. In my tests on Windows I wasn't actually > able to accomplish this. Given the somewhat theoretical nature of this > issue, I didn't think it necessary to go to secret route. >
Well, consider it's no longer theoretical, then. But you're right: the connection must have been reused from the pool, otherwise this won't work. cmlenz or jonas should be able to subscribe you to trac-security. -- Christian --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
