SQLite

Check-in [d6be1f495e]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:In the sqlite3_limit() interface, take out the feature where zero means use the hard upper bound. If an application wants the hard upper bound, it can set the limit to 0x7fffffff and the bound will be automatically truncated. (CVS 4900)
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: d6be1f495ec57158f7bcca3e32145a9a8fde723a
User & Date: drh 2008-03-20 18:00:49.000
Context
2008-03-21
14:22
Add some more logging to the malloc system used when SQLITE_MEMDEBUG is defined. (CVS 4901) (check-in: 79738f582f user: danielk1977 tags: trunk)
2008-03-20
18:00
In the sqlite3_limit() interface, take out the feature where zero means use the hard upper bound. If an application wants the hard upper bound, it can set the limit to 0x7fffffff and the bound will be automatically truncated. (CVS 4900) (check-in: d6be1f495e user: drh tags: trunk)
16:30
Reinstate test cases for the limit tests. The sqlite3_limit() API is now tested and working. (CVS 4899) (check-in: 4c4be4c3c8 user: drh tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/main.c.
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
**
*************************************************************************
** Main file for the SQLite library.  The routines in this file
** implement the programmer interface to the library.  Routines in
** other files are for internal use by SQLite and should not be
** accessed by users of the library.
**
** $Id: main.c,v 1.427 2008/03/20 16:30:18 drh Exp $
*/
#include "sqliteInt.h"
#include <ctype.h>
#ifdef SQLITE_ENABLE_FTS3
# include "fts3.h"
#endif








|







10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
**
*************************************************************************
** Main file for the SQLite library.  The routines in this file
** implement the programmer interface to the library.  Routines in
** other files are for internal use by SQLite and should not be
** accessed by users of the library.
**
** $Id: main.c,v 1.428 2008/03/20 18:00:49 drh Exp $
*/
#include "sqliteInt.h"
#include <ctype.h>
#ifdef SQLITE_ENABLE_FTS3
# include "fts3.h"
#endif

997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
int sqlite3_limit(sqlite3 *db, int limitId, int newLimit){
  int oldLimit;
  if( limitId<0 || limitId>SQLITE_N_LIMIT ){
    return -1;
  }
  oldLimit = db->aLimit[limitId];
  if( newLimit>=0 ){
    if( newLimit==0 ){
      newLimit = aHardLimit[limitId];
    }else if( aHardLimit[limitId]>0 && newLimit>aHardLimit[limitId] ){
      newLimit = aHardLimit[limitId];
    }
    db->aLimit[limitId] = newLimit;
  }
  return oldLimit;
}








|
<
<







997
998
999
1000
1001
1002
1003
1004


1005
1006
1007
1008
1009
1010
1011
int sqlite3_limit(sqlite3 *db, int limitId, int newLimit){
  int oldLimit;
  if( limitId<0 || limitId>SQLITE_N_LIMIT ){
    return -1;
  }
  oldLimit = db->aLimit[limitId];
  if( newLimit>=0 ){
    if( newLimit>aHardLimit[limitId] ){


      newLimit = aHardLimit[limitId];
    }
    db->aLimit[limitId] = newLimit;
  }
  return oldLimit;
}

Changes to src/sqlite.h.in.
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
** on how SQLite interfaces are suppose to operate.
**
** The name of this file under configuration management is "sqlite.h.in".
** The makefile makes some minor changes to this file (such as inserting
** the version number) and changes its name to "sqlite3.h" as
** part of the build process.
**
** @(#) $Id: sqlite.h.in,v 1.297 2008/03/20 16:30:18 drh Exp $
*/
#ifndef _SQLITE3_H_
#define _SQLITE3_H_
#include <stdarg.h>     /* Needed for the definition of va_list */

/*
** Make sure we can call this stuff from C++.







|







26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
** on how SQLite interfaces are suppose to operate.
**
** The name of this file under configuration management is "sqlite.h.in".
** The makefile makes some minor changes to this file (such as inserting
** the version number) and changes its name to "sqlite3.h" as
** part of the build process.
**
** @(#) $Id: sqlite.h.in,v 1.298 2008/03/20 18:00:49 drh Exp $
*/
#ifndef _SQLITE3_H_
#define _SQLITE3_H_
#include <stdarg.h>     /* Needed for the definition of va_list */

/*
** Make sure we can call this stuff from C++.
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657

1658
1659
1660
1661
1662
1663
1664
1665
1666





1667
1668
1669
1670
1671
1672
1673
*/
void sqlite3_randomness(int N, void *P);

/*
** CAPI3REF: Compile-Time Authorization Callbacks {F12500}
**
** This routine registers a authorizer callback with a particular
** database connection, supplied in the first argument.
** The authorizer callback is invoked as SQL statements are being compiled
** by [sqlite3_prepare()] or its variants [sqlite3_prepare_v2()],
** [sqlite3_prepare16()] and [sqlite3_prepare16_v2()].  At various
** points during the compilation process, as logic is being created
** to perform various actions, the authorizer callback is invoked to
** see if those actions are allowed.  The authorizer callback should
** return SQLITE_OK to allow the action, [SQLITE_IGNORE] to disallow the
** specific action but allow the SQL statement to continue to be
** compiled, or [SQLITE_DENY] to cause the entire SQL statement to be
** rejected with an error.   If the authorizer callback returns
** any value other than [SQLITE_IGNORE], [SQLITE_OK], or [SQLITE_DENY]
** then [sqlite3_prepare_v2()] or equivalent call that triggered
** the authorizer will fail with an error message.
**
** When the callback returns [SQLITE_OK], that means the operation
** requested is ok.  When the callback returns [SQLITE_DENY], the
** [sqlite3_prepare_v2()] or equivalent call that triggered the
** authorizer will fail with an error message explaining that
** access is denied.  If the authorizer code is [SQLITE_READ]
** and the callback returns [SQLITE_IGNORE] then the prepared
** statement is constructed to insert a NULL value in place of
** the table column that would have
** been read if [SQLITE_OK] had been returned.  The [SQLITE_IGNORE]
** return can be used to deny an untrusted user access to individual
** columns of a table.
**
** The first parameter to the authorizer callback is a copy of
** the third parameter to the sqlite3_set_authorizer() interface.
** The second parameter to the callback is an integer 
** [SQLITE_COPY | action code] that specifies the particular action
** to be authorized. The third through sixth
** parameters to the callback are zero-terminated strings that contain 
** additional details about the action to be authorized.
**
** An authorizer is used when preparing SQL statements from an untrusted

** source, to ensure that the SQL statements do not try to access data
** that they are not allowed to see, or that they do not try to
** execute malicious statements that damage the database.  For
** example, an application may allow a user to enter arbitrary
** SQL queries for evaluation by a database.  But the application does
** not want the user to be able to make arbitrary changes to the
** database.  An authorizer could then be put in place while the
** user-entered SQL is being prepared that disallows everything
** except SELECT statements.  





**
** Only a single authorizer can be in place on a database connection
** at a time.  Each call to sqlite3_set_authorizer overrides the
** previous call.  Disable the authorizer by installing a NULL callback.
** The authorizer is disabled by default.
**
** Note that the authorizer callback is invoked only during 







|






|












|
|
|












|
>







|
|
>
>
>
>
>







1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
*/
void sqlite3_randomness(int N, void *P);

/*
** CAPI3REF: Compile-Time Authorization Callbacks {F12500}
**
** This routine registers a authorizer callback with a particular
** [database connection], supplied in the first argument.
** The authorizer callback is invoked as SQL statements are being compiled
** by [sqlite3_prepare()] or its variants [sqlite3_prepare_v2()],
** [sqlite3_prepare16()] and [sqlite3_prepare16_v2()].  At various
** points during the compilation process, as logic is being created
** to perform various actions, the authorizer callback is invoked to
** see if those actions are allowed.  The authorizer callback should
** return [SQLITE_OK] to allow the action, [SQLITE_IGNORE] to disallow the
** specific action but allow the SQL statement to continue to be
** compiled, or [SQLITE_DENY] to cause the entire SQL statement to be
** rejected with an error.   If the authorizer callback returns
** any value other than [SQLITE_IGNORE], [SQLITE_OK], or [SQLITE_DENY]
** then [sqlite3_prepare_v2()] or equivalent call that triggered
** the authorizer will fail with an error message.
**
** When the callback returns [SQLITE_OK], that means the operation
** requested is ok.  When the callback returns [SQLITE_DENY], the
** [sqlite3_prepare_v2()] or equivalent call that triggered the
** authorizer will fail with an error message explaining that
** access is denied.  If the authorizer code is [SQLITE_READ]
** and the callback returns [SQLITE_IGNORE] then the
** [prepared statement] statement is constructed to substitute
** a NULL value in place of the table column that would have
** been read if [SQLITE_OK] had been returned.  The [SQLITE_IGNORE]
** return can be used to deny an untrusted user access to individual
** columns of a table.
**
** The first parameter to the authorizer callback is a copy of
** the third parameter to the sqlite3_set_authorizer() interface.
** The second parameter to the callback is an integer 
** [SQLITE_COPY | action code] that specifies the particular action
** to be authorized. The third through sixth
** parameters to the callback are zero-terminated strings that contain 
** additional details about the action to be authorized.
**
** An authorizer is used when [sqlite3_prepare | preparing]
** SQL statements from an untrusted
** source, to ensure that the SQL statements do not try to access data
** that they are not allowed to see, or that they do not try to
** execute malicious statements that damage the database.  For
** example, an application may allow a user to enter arbitrary
** SQL queries for evaluation by a database.  But the application does
** not want the user to be able to make arbitrary changes to the
** database.  An authorizer could then be put in place while the
** user-entered SQL is being [sqlite3_prepare | prepared] that
** disallows everything except [SELECT] statements.
**
** Applications that need to process SQL from untrusted sources
** might also consider lowering resource limits using [sqlite3_limit()]
** and limiting database size using the [max_page_count] [PRAGMA]
** in addition to using an authorizer.
**
** Only a single authorizer can be in place on a database connection
** at a time.  Each call to sqlite3_set_authorizer overrides the
** previous call.  Disable the authorizer by installing a NULL callback.
** The authorizer is disabled by default.
**
** Note that the authorizer callback is invoked only during 
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172

2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184



2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
** on a connection by connection basis.  The first parameter is the
** [database connection] whose limit is to be set or queried.  The
** second parameter is one of the [limit categories] that define a
** class of constructs to be size limited.  The third parameter is the
** new limit for that construct.  The function returns the old limit.
**
** If the new limit is a negative number, the limit is unchanged.
** If the new limit is zero, the construct becomes unlimited.  Actually,
** there is a hard upper bound on the size of all constructs that
** is determined at compile-time.  For the limit category of 
** SQLITE_LIMIT_XYZ the hard upper bound is the compile-time

** constant SQLITE_MAX_XYZ.  Attempts to increase a limit above its
** hard upper bound are silently truncated.
**
** Run time limits are intended for use in applications that manage
** both their own internal database and also databases that are controlled
** by untrusted external sources.  An example application might be a
** webbrowser that has its own databases for storing history and
** separate databases controlled by javascript applications downloaded
** of the internet.  The internal databases can be given the
** large, default limits.  Databases managed by external sources can
** be given much smaller limits designed to prevent a denial of service
** attach.



**
** This interface is currently considered experimental and is subject
** to change or removal without prior notice.
**
** INVARIANTS:
**
** {F12763} A successful call to [sqlite3_limit(D,C,V)] where V is
**          positive changes the
**          limit on the size of construct C in [database connection] D
**          to the lessor of V and the hard upper bound on the size
**          of C that is set at compile-time.
**
** {F12763} A successful call to [sqlite3_limit(D,C,V)] where V is zero
**          changes the limit on the size of construct C in
**          [database connection] D to be the hard upper bound on the size
**          of C that is set at compile-time.
**
** {F12766} A successful call to [sqlite3_limit(D,C,V)] where V is negative
**          leaves the state of [database connection] D unchanged.
**







<
<
|
|
>
|
|






|


|
>
>
>






|





|







2168
2169
2170
2171
2172
2173
2174


2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
** on a connection by connection basis.  The first parameter is the
** [database connection] whose limit is to be set or queried.  The
** second parameter is one of the [limit categories] that define a
** class of constructs to be size limited.  The third parameter is the
** new limit for that construct.  The function returns the old limit.
**
** If the new limit is a negative number, the limit is unchanged.


** For the limit category of SQLITE_LIMIT_XYZ there is a hard upper
** bound set by a compile-time C-preprocess macro named SQLITE_MAX_XYZ.
** (The "_LIMIT_" in the name is changed to "_MAX_".)
** Attempts to increase a limit above its hard upper bound are
** silently truncated to the hard upper limit.
**
** Run time limits are intended for use in applications that manage
** both their own internal database and also databases that are controlled
** by untrusted external sources.  An example application might be a
** webbrowser that has its own databases for storing history and
** separate databases controlled by javascript applications downloaded
** off the internet.  The internal databases can be given the
** large, default limits.  Databases managed by external sources can
** be given much smaller limits designed to prevent a denial of service
** attach.  Developers might also want to use the [sqlite3_set_authorizer()]
** interface to further control untrusted SQL.  The size of the database
** created by an untrusted script can be contained using the
** [max_page_count] [PRAGMA].
**
** This interface is currently considered experimental and is subject
** to change or removal without prior notice.
**
** INVARIANTS:
**
** {F12762} A successful call to [sqlite3_limit(D,C,V)] where V is
**          positive changes the
**          limit on the size of construct C in [database connection] D
**          to the lessor of V and the hard upper bound on the size
**          of C that is set at compile-time.
**
** {F12764} A successful call to [sqlite3_limit(D,C,V)] where V is zero
**          changes the limit on the size of construct C in
**          [database connection] D to be the hard upper bound on the size
**          of C that is set at compile-time.
**
** {F12766} A successful call to [sqlite3_limit(D,C,V)] where V is negative
**          leaves the state of [database connection] D unchanged.
**
Changes to test/sqllimits1.test.
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#    May you share freely, never taking more than you give.
#
#***********************************************************************
#
# This file contains tests to verify that the limits defined in
# sqlite source file limits.h are enforced.
#
# $Id: sqllimits1.test,v 1.25 2008/03/20 16:30:18 drh Exp $

set testdir [file dirname $argv0]
source $testdir/tester.tcl

# Verify that the default per-connection limits are the same as
# the compile-time hard limits.
#







|







8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#    May you share freely, never taking more than you give.
#
#***********************************************************************
#
# This file contains tests to verify that the limits defined in
# sqlite source file limits.h are enforced.
#
# $Id: sqllimits1.test,v 1.26 2008/03/20 18:00:49 drh Exp $

set testdir [file dirname $argv0]
source $testdir/tester.tcl

# Verify that the default per-connection limits are the same as
# the compile-time hard limits.
#
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
  sqlite3_limit db SQLITE_LIMIT_LIKE_PATTERN_LENGTH -1
} $SQLITE_MAX_LIKE_PATTERN_LENGTH
do_test sqllimits1-4.10.1 {
  sqlite3_limit db SQLITE_LIMIT_VARIABLE_NUMBER 0x7fffffff
  sqlite3_limit db SQLITE_LIMIT_VARIABLE_NUMBER -1
} $SQLITE_MAX_VARIABLE_NUMBER



#--------------------------------------------------------------------
# Test cases sqllimits1-5.* test that the SQLITE_MAX_LENGTH limit
# is enforced.
#
db close
sqlite3 db test.db
set LARGESIZE 99999







<
<







219
220
221
222
223
224
225


226
227
228
229
230
231
232
  sqlite3_limit db SQLITE_LIMIT_LIKE_PATTERN_LENGTH -1
} $SQLITE_MAX_LIKE_PATTERN_LENGTH
do_test sqllimits1-4.10.1 {
  sqlite3_limit db SQLITE_LIMIT_VARIABLE_NUMBER 0x7fffffff
  sqlite3_limit db SQLITE_LIMIT_VARIABLE_NUMBER -1
} $SQLITE_MAX_VARIABLE_NUMBER



#--------------------------------------------------------------------
# Test cases sqllimits1-5.* test that the SQLITE_MAX_LENGTH limit
# is enforced.
#
db close
sqlite3 db test.db
set LARGESIZE 99999
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
  set tail " /* A comment to take up space in order to make the string\
                longer without increasing the expression depth */\
                AND   1  ==  1"
  set N [expr {(50000 / [string length $tail])+1}]
  append sql [string repeat $tail $N]
  catchsql $sql
} {1 {String or BLOB exceeded size limit}}
do_test sqllimits1-6.2 {
  sqlite3_limit db SQLITE_LIMIT_SQL_LENGTH 0
  catchsql $sql
} {0 1}
do_test sqllimits1-6.3 {
  sqlite3_limit db SQLITE_LIMIT_SQL_LENGTH 50000
  set sql "SELECT 1 WHERE 1==1"
  set tail " /* A comment to take up space in order to make the string\
                longer without increasing the expression depth */\
                AND   1  ==  1"
  set N [expr {(50000 / [string length $tail])+1}]







<
<
<
<







349
350
351
352
353
354
355




356
357
358
359
360
361
362
  set tail " /* A comment to take up space in order to make the string\
                longer without increasing the expression depth */\
                AND   1  ==  1"
  set N [expr {(50000 / [string length $tail])+1}]
  append sql [string repeat $tail $N]
  catchsql $sql
} {1 {String or BLOB exceeded size limit}}




do_test sqllimits1-6.3 {
  sqlite3_limit db SQLITE_LIMIT_SQL_LENGTH 50000
  set sql "SELECT 1 WHERE 1==1"
  set tail " /* A comment to take up space in order to make the string\
                longer without increasing the expression depth */\
                AND   1  ==  1"
  set N [expr {(50000 / [string length $tail])+1}]