[New-bugs-announce] [issue43763] [sqlite3] Use SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION iso. sqlite3_enable_load_extension()
Erlend Egeberg Aasland
report at bugs.python.org
Wed Apr 7 07:36:12 EDT 2021
New submission from Erlend Egeberg Aasland <erlend.aasland at innova.no>:
Quoting from the SQLite docs:
"It is recommended that extension loading be enabled using the SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION method rather than this interface, so the load_extension() SQL function remains disabled. This will prevent SQL injections from giving attackers access to extension loading capabilities."
Suggesting to make sqlite3.Connection.enable_load_extension a module level function, and use sqlite3_db_config() iso. sqlite3_enable_load_extension(). We could add an optional argument for also enabling the SQL function.
1. Introduce sqlite3.enable_load_extension(enable, /, enable_sql_api=False)
2. Add deprecation warning to sqlite3.Connection.enable_load_extension()
3. In Python 3.12, remove sqlite3.Connection.enable_load_extension()
----------
components: Extension Modules
messages: 390422
nosy: berker.peksag, christian.heimes, erlendaasland
priority: normal
severity: normal
status: open
title: [sqlite3] Use SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION iso. sqlite3_enable_load_extension()
type: security
versions: Python 3.10
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43763>
_______________________________________
More information about the New-bugs-announce
mailing list