/ Check-in [b8a0f1b5]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Allow only "localhost" and "" as authorities in URIs. Do not allow escapes (%HH) in the authority part of a URI.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | uri
Files: files | file ages | folders
SHA1: b8a0f1b523d1f31c8e7a102ba4bae5935b07104a
User & Date: dan 2011-05-03 11:53:20
Context
2011-05-03
15:09
Remove some unused code related to URI parsing. check-in: 008cd0ef user: dan tags: uri
11:53
Allow only "localhost" and "" as authorities in URIs. Do not allow escapes (%HH) in the authority part of a URI. check-in: b8a0f1b5 user: dan tags: uri
10:22
Change the supported URI options to "mode" and "cache". check-in: 0a694a0b user: dan tags: uri
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/main.c.

  1824   1824       zFile = sqlite3_malloc(nByte);
  1825   1825       if( !zFile ) return SQLITE_NOMEM;
  1826   1826   
  1827   1827       /* Discard the scheme and authority segments of the URI. */
  1828   1828       if( zUri[5]=='/' && zUri[6]=='/' ){
  1829   1829         iIn = 7;
  1830   1830         while( zUri[iIn] && zUri[iIn]!='/' ) iIn++;
         1831  +
         1832  +      if( iIn!=7 && (iIn!=16 || memcmp("localhost", &zUri[7], 9)) ){
         1833  +        *pzErrMsg = sqlite3_mprintf("invalid uri authority: %.*s", 
         1834  +            iIn-7, &zUri[7]);
         1835  +        rc = SQLITE_ERROR;
         1836  +        goto parse_uri_out;
         1837  +      }
  1831   1838       }else{
  1832   1839         iIn = 5;
  1833   1840       }
  1834   1841   
  1835   1842       /* Copy the filename and any query parameters into the zFile buffer. 
  1836   1843       ** Decode %HH escape codes along the way. 
  1837   1844       **

Changes to test/uri.test.

    29     29   
    30     30   #-------------------------------------------------------------------------
    31     31   # Test that file names are correctly extracted from URIs.
    32     32   #
    33     33   foreach {tn uri file} {
    34     34     1      test.db                            test.db
    35     35     2      file:test.db                       test.db
    36         -  3      file://an-authorityPWD/test.db     test.db
           36  +  3      file://PWD/test.db     test.db
    37     37     4      file:PWD/test.db                   test.db
    38     38     5      file:test.db?mork=1                test.db
    39     39     6      file:test.db?mork=1&tonglor=2      test.db
    40     40     7      file:test.db?mork=1#boris          test.db
    41     41     8      file:test.db#boris                 test.db
    42     42     9      test.db#boris                      test.db#boris
    43     43     10     test.db?mork=1#boris               test.db?mork=1#boris
    44     44     11     file:test%2Edb                     test.db
    45     45     12     file                               file
    46     46     13     http:test.db                       http:test.db
    47         -  14     file://xyzPWD/test.db%3Fhello      test.db?hello
           47  +  14     file://localhostPWD/test.db%3Fhello   test.db?hello
    48     48     15     file:test.db%00extra               test.db
    49     49     16     file:test%00.db%00extra            test
    50     50   } {
    51     51     set uri  [string map [list PWD [pwd]] $uri]
    52     52     set file [string map [list PWD [pwd]] $file]
    53     53   
    54     54     forcedelete $file
................................................................................
    60     60   
    61     61     do_test 1.$tn.3 { file exists $file } 0
    62     62     sqlite3 db xxx.db
    63     63     execsql { ATTACH $uri AS aux }
    64     64     do_test 1.$tn.4 { file exists $file } 1
    65     65     db close
    66     66   }
    67         -
    68     67   
    69     68   #-------------------------------------------------------------------------
    70     69   # Test that URI query parameters are passed through to the VFS layer
    71     70   # correctly.
    72     71   #
    73     72   testvfs tvfs -default 1
    74     73   tvfs filter xOpen
................................................................................
   238    237   do_test 5.1.2 {
   239    238     lsort [array names ::T2]
   240    239   } {test.db2 test.db2-journal test.db2-wal}
   241    240   
   242    241   db close
   243    242   tvfs1 delete
   244    243   tvfs2 delete
          244  +
          245  +#-------------------------------------------------------------------------
          246  +# Check that only "" and "localhost" are acceptable as authorities.
          247  +#
          248  +catch {db close}
          249  +foreach {tn uri res} {
          250  +  1     "file://localhost/PWD/test.db"   {not an error}
          251  +  2     "file:///PWD/test.db"            {not an error}
          252  +  3     "file:/PWD/test.db"              {not an error}
          253  +  4     "file://l%6Fcalhost/PWD/test.db" {invalid uri authority: l%6Fcalhost}
          254  +  5     "file://lbcalhost/PWD/test.db"   {invalid uri authority: lbcalhost}
          255  +  6     "file://x/PWD/test.db"           {invalid uri authority: x}
          256  +} {
          257  +  set uri  [string map [list PWD [string range [pwd] 1 end]] $uri]
          258  +  do_test 6.$tn {
          259  +    set DB [sqlite3_open $uri]
          260  +    sqlite3_errmsg $DB
          261  +  } $res
          262  +  catch { sqlite3_close $DB }
          263  +}
   245    264   
   246    265   finish_test
   247    266