[webkit-changes] [185052] branches/safari-600.1.4.16-branch/Source/WebCore

Sun, 31 May 2015 19:11:53 -0700

Title: [185052] branches/safari-600.1.4.16-branch/Source/WebCore

Diff

Modified: branches/safari-600.1.4.16-branch/Source/WebCore/ChangeLog (185051 => 185052)


--- branches/safari-600.1.4.16-branch/Source/WebCore/ChangeLog	2015-06-01 02:08:46 UTC (rev 185051)
+++ branches/safari-600.1.4.16-branch/Source/WebCore/ChangeLog	2015-06-01 02:11:02 UTC (rev 185052)
@@ -1,3 +1,23 @@
+2015-05-31  Babak Shafiei  <[email protected]>
+
+        Merge r185003.
+
+    2015-05-29  Brady Eidson  <[email protected]>
+
+            WebSQL default functions can bypass authorizer.
+            <rdar://problem/21048994> and https://bugs.webkit.org/show_bug.cgi?id=145463
+
+            Reviewed by Sam Weinig and Alexey Proskuryakov.
+
+            No new tests yet.
+
+            * platform/sql/SQLiteDatabase.cpp:
+            (WebCore::unauthorizedSQLFunction): Function to install into SQLite to override some built-in functions.
+            (WebCore::SQLiteDatabase::open):
+            (WebCore::SQLiteDatabase::overrideUnauthorizedFunctions): Install function overrides for functions that
+               take arbitrary input that are also meant to be disabled by virtue of them not being whitelisted.
+            * platform/sql/SQLiteDatabase.h:
+
 2015-05-19  Babak Shafiei  <[email protected]>
 
         Merge r179010.

Modified: branches/safari-600.1.4.16-branch/Source/WebCore/platform/sql/SQLiteDatabase.cpp (185051 => 185052)


--- branches/safari-600.1.4.16-branch/Source/WebCore/platform/sql/SQLiteDatabase.cpp	2015-06-01 02:08:46 UTC (rev 185051)
+++ branches/safari-600.1.4.16-branch/Source/WebCore/platform/sql/SQLiteDatabase.cpp	2015-06-01 02:11:02 UTC (rev 185052)
@@ -50,6 +50,13 @@
 
 static const char notOpenErrorMessage[] = "database is not open";
 
+static void unauthorizedSQLFunction(sqlite3_context *context, int, sqlite3_value **)
+{
+    const char* functionName = (const char*)sqlite3_user_data(context);
+    String errorMessage = String::format("Function %s is unauthorized", functionName);
+    sqlite3_result_error(context, errorMessage.utf8().data(), -1);
+}
+
 SQLiteDatabase::SQLiteDatabase()
     : m_db(0)
     , m_pageSize(-1)
@@ -82,6 +89,8 @@
         return false;
     }
 
+    overrideUnauthorizedFunctions();
+
     m_openError = sqlite3_extended_result_codes(m_db, 1);
     if (m_openError != SQLITE_OK) {
         m_openErrorMessage = sqlite3_errmsg(m_db);
@@ -133,6 +142,22 @@
     m_openErrorMessage = CString();
 }
 
+void SQLiteDatabase::overrideUnauthorizedFunctions()
+{
+    std::pair<const char*, int> functionParameters[] = {
+        { "rtreenode", 2 },
+        { "rtreedepth", 1 },
+        { "eval", 1 },
+        { "eval", 2 },
+        { "printf", -1 },
+        { "fts3_tokenizer", 1 },
+        { "fts3_tokenizer", 2 },
+    };
+
+    for (auto& functionParameter : functionParameters)
+        sqlite3_create_function(m_db, functionParameter.first, functionParameter.second, SQLITE_UTF8, (void*)functionParameter.first, unauthorizedSQLFunction, 0, 0);
+}
+
 void SQLiteDatabase::interrupt()
 {
     m_interrupted = true;

Modified: branches/safari-600.1.4.16-branch/Source/WebCore/platform/sql/SQLiteDatabase.h (185051 => 185052)


--- branches/safari-600.1.4.16-branch/Source/WebCore/platform/sql/SQLiteDatabase.h	2015-06-01 02:08:46 UTC (rev 185051)
+++ branches/safari-600.1.4.16-branch/Source/WebCore/platform/sql/SQLiteDatabase.h	2015-06-01 02:11:02 UTC (rev 185052)
@@ -148,7 +148,9 @@
     void enableAuthorizer(bool enable);
     
     int pageSize();
-    
+
+    void overrideUnauthorizedFunctions();
+
     sqlite3* m_db;
     int m_pageSize;
     

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to