Return an error if an attempt is made to create a trigger with an SQL variable embedded within it. If such a variable reference is found within a trigger definition loaded from the sqlite_master table, silently replace it with a NULL.

FossilOrigin-Name: f35f6ae3da77dbdf5f7a4a9927475659fc6e0ca6
2013-10-03 12:29:38 +00:00 · 2013-10-03 12:29:38 +00:00 · 46539d7cfa
commit 46539d7cfa
parent 582d47d27a
6 changed files with 160 additions and 21 deletions
--- a/19
+++ b/19
@ -1,5 +1,5 @@
-C Remove\sunnecessary\smemset()\scalls\sfrom\stest\scode.
-D 2013-10-03T11:27:56.219
+C Return\san\serror\sif\san\sattempt\sis\smade\sto\screate\sa\strigger\swith\san\sSQL\svariable\sembedded\swithin\sit.\sIf\ssuch\sa\svariable\sreference\sis\sfound\swithin\sa\strigger\sdefinition\sloaded\sfrom\sthe\ssqlite_master\stable,\ssilently\sreplace\sit\swith\sa\sNULL.
+D 2013-10-03T12:29:38.279
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 5e41da95d92656a5004b03d3576e8b226858a28e
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@ -158,7 +158,7 @@ F sqlite3.1 6be1ad09113570e1fc8dcaff84c9b0b337db5ffc
 F sqlite3.pc.in 48fed132e7cb71ab676105d2a4dc77127d8c1f3a
 F src/alter.c 2af0330bb1b601af7a7789bf7229675fd772a083
 F src/analyze.c d322972af09e3f8debb45f420dfe3ded142b108b
-F src/attach.c 4a2b6a6d9b5f9fd55a8b59488ff7929fef73a195
+F src/attach.c 64859892b2a922c36c936f22dbce40e3c8044749
 F src/auth.c 523da7fb4979469955d822ff9298352d6b31de34
 F src/backup.c 2f1987981139bd2f6d8c728d64bf09fb387443c3
 F src/bitvec.c 19a4ba637bd85f8f63fc8c9bae5ade9fb05ec1cb
@ -221,7 +221,7 @@ F src/shell.c 5ee50ca3e35453bbd6ccdf1bdd0f6bbe9738e9fb
 F src/sqlite.h.in ec40aa958a270416fb04b4f72210357bf163d2c5
 F src/sqlite3.rc 11094cc6a157a028b301a9f06b3d03089ea37c3e
 F src/sqlite3ext.h 886f5a34de171002ad46fae8c36a7d8051c190fc
-F src/sqliteInt.h 18c7f80e7e23098942436f7286e9c93adc6908be
+F src/sqliteInt.h d759d22c3c4c8e88ccd550c7aa174a190ca768f6
 F src/sqliteLimit.h 164b0e6749d31e0daa1a4589a169d31c0dec7b3d
 F src/status.c 7ac05a5c7017d0b9f0b4bcd701228b784f987158
 F src/table.c 2cd62736f845d82200acfa1287e33feb3c15d62e
@ -272,7 +272,7 @@ F src/test_vfs.c e72f555ef7a59080f898fcf1a233deb9eb704ea9
 F src/test_vfstrace.c 34b544e80ba7fb77be15395a609c669df2e660a2
 F src/test_wsd.c 41cadfd9d97fe8e3e4e44f61a4a8ccd6f7ca8fe9
 F src/tokenize.c 70061085a51f2f4fc15ece94f32c03bcb78e63b2
-F src/trigger.c 5c0ea9b8755e7c5e1a700f3e27ac4f8d92dd221e
+F src/trigger.c 9e6976b6d67de26bbaabb361f28a90b799d80434
 F src/update.c f5182157f5d0d0a97bc5f5e3c9bdba0dfbe08f08
 F src/utf.c 6fc6c88d50448c469c5c196acf21617a24f90269
 F src/util.c 7f3e35432d6888d1e770c488c35bd98970c44eec
@ -987,6 +987,7 @@ F test/triggerA.test fe5597f47ee21bacb4936dc827994ed94161e332
 F test/triggerB.test 56780c031b454abac2340dbb3b71ac5c56c3d7fe
 F test/triggerC.test a7b4367392c755bc5fd5fff88011753e6b6afe90
 F test/triggerD.test 8e7f3921a92a5797d472732108109e44575fa650
+F test/triggerE.test 355e9c5cbaed5cd039a60baad1fb2197caeb8e52
 F test/tt3_checkpoint.c 415eccce672d681b297485fc20f44cdf0eac93af
 F test/types.test bf816ce73c7dfcfe26b700c19f97ef4050d194ff
 F test/types2.test 3555aacf8ed8dc883356e59efc314707e6247a84
@ -1118,7 +1119,7 @@ F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh fbc018d67fd7395f440c28f33ef0f94420226381
 F tool/wherecosttest.c f407dc4c79786982a475261866a161cd007947ae
 F tool/win/sqlite.vsix 030f3eeaf2cb811a3692ab9c14d021a75ce41fff
-P 8d399a03de63c15908d63ed69140ee15c6275b8d
-R ae588916fdc736be6c4dac87b59614c6
-U drh
-Z 0a2b0d9a2a1e75ecb540daf6b8322ce3
+P eec3187bc68ddebdbc2113f77c7f5cd32e9be61f
+R bcf82dacad10da610aa03ba9f5dccbf3
+U dan
+Z 81b7035f34aeb81458a978a9137553b8
--- a/manifest.uuid
+++ b/manifest.uuid
@ -1 +1 @@
-eec3187bc68ddebdbc2113f77c7f5cd32e9be61f
+f35f6ae3da77dbdf5f7a4a9927475659fc6e0ca6
--- a/src/attach.c
+++ b/src/attach.c
@ -430,7 +430,7 @@ int sqlite3FixInit(
 ){
  sqlite3 *db;

-  if( NEVER(iDb<0) || iDb==1 ) return 0;
+  if( NEVER(iDb<0) ) return 0;
  db = pParse->db;
  assert( db->nDb>iDb );
  pFix->pParse = pParse;
@ -438,6 +438,7 @@ int sqlite3FixInit(
  pFix->pSchema = db->aDb[iDb].pSchema;
  pFix->zType = zType;
  pFix->pName = pName;
+  pFix->bVarOnly = (iDb==1);
  return 1;
 }

@ -466,15 +467,17 @@ int sqlite3FixSrcList(
  if( NEVER(pList==0) ) return 0;
  zDb = pFix->zDb;
  for(i=0, pItem=pList->a; i<pList->nSrc; i++, pItem++){
-    if( pItem->zDatabase && sqlite3StrICmp(pItem->zDatabase, zDb) ){
-      sqlite3ErrorMsg(pFix->pParse,
-         "%s %T cannot reference objects in database %s",
-         pFix->zType, pFix->pName, pItem->zDatabase);
-      return 1;
+    if( pFix->bVarOnly==0 ){
+      if( pItem->zDatabase && sqlite3StrICmp(pItem->zDatabase, zDb) ){
+        sqlite3ErrorMsg(pFix->pParse,
+            "%s %T cannot reference objects in database %s",
+            pFix->zType, pFix->pName, pItem->zDatabase);
+        return 1;
+      }
+      sqlite3DbFree(pFix->pParse->db, pItem->zDatabase);
+      pItem->zDatabase = 0;
+      pItem->pSchema = pFix->pSchema;
    }
-    sqlite3DbFree(pFix->pParse->db, pItem->zDatabase);
-    pItem->zDatabase = 0;
-    pItem->pSchema = pFix->pSchema;
 #if !defined(SQLITE_OMIT_VIEW) || !defined(SQLITE_OMIT_TRIGGER)
    if( sqlite3FixSelect(pFix, pItem->pSelect) ) return 1;
    if( sqlite3FixExpr(pFix, pItem->pOn) ) return 1;
@ -497,9 +500,21 @@ int sqlite3FixSelect(
    if( sqlite3FixExpr(pFix, pSelect->pWhere) ){
      return 1;
    }
+    if( sqlite3FixExprList(pFix, pSelect->pGroupBy) ){
+      return 1;
+    }
    if( sqlite3FixExpr(pFix, pSelect->pHaving) ){
      return 1;
    }
+    if( sqlite3FixExprList(pFix, pSelect->pOrderBy) ){
+      return 1;
+    }
+    if( sqlite3FixExpr(pFix, pSelect->pLimit) ){
+      return 1;
+    }
+    if( sqlite3FixExpr(pFix, pSelect->pOffset) ){
+      return 1;
+    }
    pSelect = pSelect->pPrior;
  }
  return 0;
@ -509,6 +524,14 @@ int sqlite3FixExpr(
  Expr *pExpr        /* The expression to be fixed to one database */
 ){
  while( pExpr ){
+    if( pExpr->op==TK_VARIABLE ){
+      if( pFix->pParse->db->init.busy ){
+        pExpr->op = TK_NULL;
+      }else{
+        sqlite3ErrorMsg(pFix->pParse, "%s cannot use variables", pFix->zType);
+        return 1;
+      }
+    }
    if( ExprHasProperty(pExpr, EP_TokenOnly) ) break;
    if( ExprHasProperty(pExpr, EP_xIsSelect) ){
      if( sqlite3FixSelect(pFix, pExpr->x.pSelect) ) return 1;
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@ -2414,6 +2414,7 @@ typedef struct DbFixer DbFixer;
 struct DbFixer {
  Parse *pParse;      /* The parsing context.  Error messages written here */
  Schema *pSchema;    /* Fix items to this schema */
+  int bVarOnly;       /* Check for variable references only */
  const char *zDb;    /* Make sure all objects are contained in this database */
  const char *zType;  /* Type of the container - used for error messages */
  const Token *pName; /* Name of the container - used for error messages */
--- a/src/trigger.c
+++ b/src/trigger.c
@ -291,8 +291,10 @@ void sqlite3FinishTrigger(
  }
  nameToken.z = pTrig->zName;
  nameToken.n = sqlite3Strlen30(nameToken.z);
-  if( sqlite3FixInit(&sFix, pParse, iDb, "trigger", &nameToken) 
-          && sqlite3FixTriggerStep(&sFix, pTrig->step_list) ){
+  if( sqlite3FixInit(&sFix, pParse, iDb, "trigger", &nameToken) && (
+      sqlite3FixTriggerStep(&sFix, pTrig->step_list) 
+   || sqlite3FixExpr(&sFix, pTrig->pWhen) 
+  )){
    goto triggerfinish_cleanup;
  }

--- a/test/triggerE.test
+++ b/test/triggerE.test
@ -0,0 +1,112 @@
+# 2009 December 29
+#
+# The author disclaims copyright to this source code.  In place of
+# a legal notice', here is a blessing:
+#
+#    May you do good and not evil.
+#    May you find forgiveness for yourself and forgive others.
+#    May you share freely, never taking more than you give.
+#
+#***********************************************************************
+#
+# This file tests the effects of SQL variable references embedded in
+# triggers. If the user attempts to create such a trigger, it is an
+# error. However, if an existing trigger definition is read from
+# the sqlite_master table, the variable reference always evaluates
+# to NULL.
+#
+
+set testdir [file dirname $argv0]
+source $testdir/tester.tcl
+ifcapable {!trigger} {
+  finish_test
+  return
+}
+set testprefix triggerE
+
+do_execsql_test 1.0 {
+  CREATE TABLE t1(a, b);
+  CREATE TABLE t2(c, d);
+  CREATE TABLE t3(e, f);
+}
+
+# forcedelete test.db2
+# do_execsql_test 1.1 {
+#   ATTACH 'test.db2' AS aux;
+#   CREATE TABLE aux.t4(x);
+#   INSERT INTO aux.t4 VALUES(5);
+# 
+#   CREATE TRIGGER tr1 AFTER INSERT ON t1 WHEN new.a IN (SELECT x FROM aux.t4)
+#   BEGIN
+#     SELECT 1;
+#   END;
+# } 
+# do_execsql_test 1.2 { INSERT INTO t1 VALUES(1,1); }
+# do_execsql_test 1.3 { INSERT INTO t1 VALUES(5,5); }
+
+#-------------------------------------------------------------------------
+# Attempt to create various triggers that use bound variables.
+#
+set errmsg "trigger cannot use variables"
+foreach {tn defn} {
+  1 { AFTER INSERT ON t1 WHEN new.a = ? BEGIN SELECT 1; END; }
+  2 { BEFORE DELETE ON t1 BEGIN SELECT ?; END; }
+  3 { BEFORE DELETE ON t1 BEGIN SELECT * FROM (SELECT * FROM (SELECT ?)); END; }
+  5 { BEFORE DELETE ON t1 BEGIN SELECT * FROM t2 GROUP BY ?; END; }
+  6 { BEFORE DELETE ON t1 BEGIN SELECT * FROM t2 LIMIT ?; END; }
+  7 { BEFORE DELETE ON t1 BEGIN SELECT * FROM t2 ORDER BY ?; END; }
+  8 { BEFORE UPDATE ON t1 BEGIN UPDATE t2 SET c = ?; END; }
+  9 { BEFORE UPDATE ON t1 BEGIN UPDATE t2 SET c = 1 WHERE d = ?; END; }
+} {
+  catchsql {drop trigger tr1}
+  do_catchsql_test 1.1.$tn "CREATE TRIGGER tr1 $defn" [list 1 $errmsg]
+  do_catchsql_test 1.2.$tn "CREATE TEMP TRIGGER tr1 $defn" [list 1 $errmsg]
+}
+
+#-------------------------------------------------------------------------
+# Test that variable references within trigger definitions loaded from 
+# the sqlite_master table are automatically converted to NULL.
+#
+do_execsql_test 2.1 {
+  PRAGMA writable_schema = 1;
+  INSERT INTO sqlite_master VALUES('trigger', 'tr1', 't1', 0,
+    'CREATE TRIGGER tr1 AFTER INSERT ON t1 BEGIN 
+        INSERT INTO t2 VALUES(?1, ?2); 
+     END'
+  );
+
+  INSERT INTO sqlite_master VALUES('trigger', 'tr2', 't3', 0,
+    'CREATE TRIGGER tr2 AFTER INSERT ON t3 WHEN ?1 IS NULL BEGIN
+        UPDATE t2 SET c=d WHERE c IS ?2;
+     END'
+  );
+}
+db close
+sqlite3 db test.db
+
+do_execsql_test 2.2.1 {
+  INSERT INTO t1 VALUES(1, 2);
+  SELECT * FROM t2;
+} {{} {}}
+do_test 2.2.2 {
+  set one 3
+  execsql {
+    DELETE FROM t2;
+    INSERT INTO t1 VALUES($one, ?1);
+    SELECT * FROM t2;
+  }
+} {{} {}}
+do_execsql_test 2.2.3 { SELECT * FROM t1 } {1 2 3 3}
+
+do_execsql_test 2.3 {
+  DELETE FROM t2;
+  INSERT INTO t2 VALUES('x', 'y');
+  INSERT INTO t2 VALUES(NULL, 'z');
+  INSERT INTO t3 VALUES(1, 2);
+  SELECT * FROM t3;
+  SELECT * FROM t2;
+} {1 2 x y z z}
+
+finish_test
+
+