SQLite Forum

SQLITE_ALTER_TABLE not reported by ALTER TABLE DROP COLUMN
Login

SQLITE_ALTER_TABLE not reported by ALTER TABLE DROP COLUMN

(1.3) By Gwendal Roué (groue) on 2022-01-18 09:32:59 edited from 1.2 [source]

Hello,

I want to report a bug, and also to ask if the proposed workaround is valid according to you.

ALTER TABLE DROP COLUMN does not report the SQLITE_ALTER_TABLE authorization code to the authorization callback, as other table alteration statements do. I could witness this bug up to the latest version 3.37.2.

The issue was first reported here: https://github.com/groue/GRDB.swift/pull/1144#issuecomment-1015155717

Precisely speaking, when I run the following statements with SQLite 3.37.2:

CREATE TABLE test (a, b);
ALTER TABLE test DROP COLUMN b;

The compilation of the second statement triggers the authorization callbacks listed below. SQLITE_ALTER_TABLE is not there. But there is SQLITE_FUNCTION sqlite_drop_column.

Do you think I can rely on this last authorization callback to detect ALTER TABLE DROP COLUMN, In all versions of SQLite starting from 3.35.0, until the bug is fixed?

Thank you very much

SQLITE_SELECT 
SQLITE_FUNCTION like
SQLITE_READ sqlite_master, name, main
SQLITE_FUNCTION like
SQLITE_READ sqlite_master, sql, main
SQLITE_FUNCTION sqlite_rename_test
SQLITE_READ sqlite_master, sql, main
SQLITE_READ sqlite_master, type, main
SQLITE_READ sqlite_master, name, main
SQLITE_SELECT 
SQLITE_FUNCTION like
SQLITE_READ sqlite_temp_master, name, temp
SQLITE_FUNCTION like
SQLITE_READ sqlite_temp_master, sql, temp
SQLITE_FUNCTION sqlite_rename_test
SQLITE_READ sqlite_temp_master, sql, temp
SQLITE_READ sqlite_temp_master, type, temp
SQLITE_READ sqlite_temp_master, name, temp
SQLITE_FUNCTION sqlite_rename_quotefix
SQLITE_READ sqlite_master, sql, main
SQLITE_UPDATE sqlite_master, sql, main
SQLITE_FUNCTION like
SQLITE_READ sqlite_master, name, main
SQLITE_FUNCTION like
SQLITE_READ sqlite_master, sql, main
SQLITE_FUNCTION sqlite_rename_quotefix
SQLITE_READ sqlite_temp_master, sql, temp
SQLITE_UPDATE sqlite_temp_master, sql, temp
SQLITE_FUNCTION like
SQLITE_READ sqlite_temp_master, name, temp
SQLITE_FUNCTION like
SQLITE_READ sqlite_temp_master, sql, temp
SQLITE_FUNCTION sqlite_drop_column
SQLITE_READ sqlite_master, sql, main
SQLITE_UPDATE sqlite_master, sql, main
SQLITE_READ sqlite_master, type, main
SQLITE_READ sqlite_master, tbl_name, main
SQLITE_SELECT 
SQLITE_FUNCTION like
SQLITE_READ sqlite_master, name, main
SQLITE_FUNCTION like
SQLITE_READ sqlite_master, sql, main
SQLITE_FUNCTION sqlite_rename_test
SQLITE_READ sqlite_master, sql, main
SQLITE_READ sqlite_master, type, main
SQLITE_READ sqlite_master, name, main
SQLITE_SELECT 
SQLITE_FUNCTION like
SQLITE_READ sqlite_temp_master, name, temp
SQLITE_FUNCTION like
SQLITE_READ sqlite_temp_master, sql, temp
SQLITE_FUNCTION sqlite_rename_test
SQLITE_READ sqlite_temp_master, sql, temp
SQLITE_READ sqlite_temp_master, type, temp
SQLITE_READ sqlite_temp_master, name, temp

(2) By Gwendal Roué (groue) on 2022-01-18 09:49:25 in reply to 1.3 [link] [source]

The issue was already reported in https://sqlite.org/forum/forumpost/5bdc81e0a35ee7064a45358fe2602f3b7da3e4073710599d9cb45abd9ebadb0c

(3) By Gwendal Roué (groue) on 2022-01-21 10:51:54 in reply to 1.3 [link] [source]

Hello again, I really don't want to sound rude, but I don't know if the bug report is ignored, or if I should use another way to report such an issue so that it gets tracked.

I guess a bug in the authorizer is pretty concerning for people who care about security.

I admittedly don't use the authorizer for security purpose, but only for database observation purposes (so that I know what a statement is about to do). And the workaround I described above looks good enough for my own purposes.

I'm just not sure if I properly reported an SQLite bug.

Gwendal

(4) By Richard Hipp (drh) on 2022-01-21 11:07:42 in reply to 3 [link] [source]

The problem should be fixed on trunk. You can apply the patch or wait for the next release.

Thanks for the bug report.

(5) By Gwendal Roué (groue) on 2022-01-21 11:36:39 in reply to 4 [link] [source]

Thank you very much :-) Have a nice day!

(6) By Gwendal Roué (groue) on 2022-01-21 11:46:37 in reply to 4 [link] [source]

I confirm that SQLITE_ALTER_TABLE is properly reported on trunk 👍