diff --git a/manifest b/manifest index d87ef3af84..225fc91c4f 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\sfor\sticket\s#54:\sExport\sadditional\sAPIs\sto\sthe\sWin32\sDLL.\s(CVS\s672) -D 2002-07-13T14:41:50 +C Added\sa\sdocument\sdescribing\show\sto\sdo\sa\ssecurity\saudit.\s(CVS\s673) +D 2002-07-13T16:52:35 F Makefile.in 6291a33b87d2a395aafd7646ee1ed562c6f2c28c F Makefile.template 4e11752e0b5c7a043ca50af4296ec562857ba495 F README a4c0ba11354ef6ba0776b400d057c59da47a4cc0 @@ -124,6 +124,7 @@ F tool/speedtest2.tcl ee2149167303ba8e95af97873c575c3e0fab58ff F www/arch.fig d5f9752a4dbf242e9cfffffd3f5762b6c63b3bcf F www/arch.png 82ef36db1143828a7abc88b1e308a5f55d4336f4 F www/arch.tcl 72a0c80e9054cc7025a50928d28d9c75c02c2b8b +F www/audit.tcl 90e09d580f79c7efec0c7d6f447b7ec5c2dce5c0 F www/c_interface.tcl 58cf4d128dcae08d91d0011c6d4d11de323f470f F www/changes.tcl a6d732a78b451eab29a66a068dc07b359f32c5a8 F www/conflict.tcl 81dd21f9a679e60aae049e9dd8ab53d59570cda2 @@ -140,7 +141,7 @@ F www/speed.tcl da8afcc1d3ccc5696cfb388a68982bc3d9f7f00f F www/sqlite.tcl ae3dcfb077e53833b59d4fcc94d8a12c50a44098 F www/tclsqlite.tcl 1db15abeb446aad0caf0b95b8b9579720e4ea331 F www/vdbe.tcl 2013852c27a02a091d39a766bc87cff329f21218 -P 0603eb74e6aca48f62bd95cb6c236b9e559af850 -R fec5cfcbc1c303b4f7beaf771235ce69 +P 072fd2ad588332b1f1f725515bedfbc0cf035315 +R 0c58a47e130f778dc9990a3b129c0313 U drh -Z b3e582a584f7f5a3ef64bc137f861e98 +Z 87e130d886df3a6228f2f58c5ec9b87e diff --git a/manifest.uuid b/manifest.uuid index b72dd0cb74..447662e73e 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -072fd2ad588332b1f1f725515bedfbc0cf035315 \ No newline at end of file +cff271837796d84471b09147c59cb7601d16b358 \ No newline at end of file diff --git a/www/audit.tcl b/www/audit.tcl new file mode 100644 index 0000000000..8b30373aed --- /dev/null +++ b/www/audit.tcl @@ -0,0 +1,214 @@ +# +# Run this Tcl script to generate the audit.html file. +# +set rcsid {$Id: audit.tcl,v 1.1 2002/07/13 16:52:35 drh Exp $} + +puts { + + SQLite Security Audit Procedure + + +

+SQLite Security Audit Procedure +

} +puts "

+(This page was last modified on [lrange $rcsid 3 4] UTC) +

" + +puts { +

+A security audit for SQLite consists of two components. First, there is +a check for common errors that often lead to security problems. Second, +an attempt is made to construct a proof that SQLite has certain desirable +security properties. +

+ +

Part I: Things to check

+ +

+Scan all source code and check for the following common errors: +

+ +
    +

  1. +Verify that the destination buffer is large enough to hold its result +in every call to the following routines: +

    +

    2. +

  2. +Verify that pointers returned by subroutines are not NULL before using +the pointers. In particular, make sure the return values for the following +routines are checked before they are used: +

    +

    3. +

  3. +On all functions and procedures, verify that pointer parameters are not NULL +before dereferencing those parameters. +

    4. +

  4. +Check to make sure that temporary files are opened safely: that the process +will not overwrite an existing file when opening the temp file and that +another process is unable to substitute a file for the temp file being +opened. +

    5. +
+ + + +

Part II: Things to prove

+ +

+Prove that SQLite exhibits the characteristics outlined below: +

+ +
    +

  1. +The following are preconditions:

    +

    +

    The following statement of C code is executed:

    +
    +sqlite_exec_printf(
+   db,
+   "INSERT INTO t1(a) VALUES('%q');", 
+   0, 0, 0, Z
+);
+
    +

    Prove the following are true for all possible values of string Z:

    +
      +

    1. +The call to sqlite_exec_printf() will +return in a length of time that is a polynomial in strlen(Z). +It might return an error code but it will not crash. +

      2. +

    2. +At most one new row will be inserted into table t1. +

      3. +

    3. +No preexisting rows of t1 will be deleted or modified. +

      4. +

    4. +No tables other than t1 will be altered in any way. +

      5. +

    5. +No preexisting files on the host computers filesystem, other than +the database file itself, will be deleted or modified. +

      6. +

    6. +For some constants K1 and K2, +if at least K1*strlen(Z) + K2 bytes of contiguous memory are +available to malloc(), then the call to sqlite_exec_printf() +will not return SQLITE_NOMEM. +

      7. +
    +

    2. + + +

  2. +The following are preconditions: +

    +

    The following statement of C code is executed:

    +
    +sqlite_exec(db, Z, cb, 0, 0);
+
    +

    Prove the following are true for all possible values of string Z:

    +
      +

    1. +The call to sqlite_exec() will +return in a length of time which is a polynomial in strlen(Z). +It might return an error code but it will not crash. +

      2. +

    2. +After sqlite_exec() returns, the buffer Y will not contain +any content from any preexisting file on the host computers file system, +except for the database file. +

      3. +

    3. +After the call to sqlite_exec() returns, the database file will +still be well-formed. It might not contain the same data, but it will +still be a properly constructed SQLite database file. +

      4. +

    4. +No preexisting files on the host computers filesystem, other than +the database file itself, will be deleted or modified. +

      5. +

    5. +For some constants K1 and K2, +if at least K1*strlen(Z) + K2 bytes of contiguous memory are +available to malloc(), then the call to sqlite_exec() +will not return SQLITE_NOMEM. +

      6. +
    +

    3. + +
+} +puts { +

+

+Back to the SQLite Home Page +

+ +}