Disable the ability to change the schema_version cookie when

SQLITE_DBCONFIG_DEFENSIVE mode is enabled. This is a security enhancement inspired by the question in [forum:/forumpost/2b9cc3dae1f1e5f6|forum post 2b9cc3dae1f1e5f6]. FossilOrigin-Name: 1d81381e8f5db5d7064cc313b8544ca3cb1ca9e8cd61e71368a2d2e598befc9c
2022-11-12 17:17:01 +00:00 · 2022-11-12 17:17:01 +00:00 · 7e475e571f
commit 7e475e571f
parent a6303704a3
5 changed files with 24 additions and 18 deletions
--- a/16
+++ b/16
@ -1,5 +1,5 @@
-C Remove\sunnecessary\stabs\sin\sthe\sChaCha20\simplementation.\n[forum:/forumpost/0cdce5db8c|Forum\spost\s0cdce5db8c].
-D 2022-11-10T23:10:11.615
+C Disable\sthe\sability\sto\schange\sthe\sschema_version\scookie\swhen\nSQLITE_DBCONFIG_DEFENSIVE\smode\sis\senabled.\s\sThis\sis\sa\ssecurity\nenhancement\sinspired\sby\sthe\squestion\sin\n[forum:/forumpost/2b9cc3dae1f1e5f6|forum\spost\s2b9cc3dae1f1e5f6].
+D 2022-11-12T17:17:01.440
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@ -630,7 +630,7 @@ F src/parse.y 8e67d820030d2655b9942ffe61c1e7e6b96cea2f2f72183533299393907d0564
 F src/pcache.c f4268f7f73c6a3db12ce22fd25bc68dc42315d19599414ab1207d7cf32f79197
 F src/pcache.h 4f87acd914cef5016fae3030343540d75f5b85a1877eed1a2a19b9f284248586
 F src/pcache1.c dee95e3cd2b61e6512dc814c5ab76d5eb36f0bfc9441dbb4260fccc0d12bbddc
-F src/pragma.c 41430ca04735cc8e5d003bfd9315eadede3ec326e50805cc81bcf34e46601292
+F src/pragma.c 894c2621d35edd4beea9b331cfdb1b42032394420074d2294c8febe548eea8a1
 F src/pragma.h e690a356c18e98414d2e870ea791c1be1545a714ba623719deb63f7f226d8bb7
 F src/prepare.c 1b02be0441eda4579471fea097f678effcbb77ef0c39ab3f703c837822bcd674
 F src/printf.c e99ee9741e79ae3873458146f59644276657340385ade4e76a5f5d1c25793764
@ -639,7 +639,7 @@ F src/resolve.c efea4e5fbecfd6d0a9071b0be0d952620991673391b6ffaaf4c277b0bb674633
 F src/rowset.c ba9515a922af32abe1f7d39406b9d35730ed65efab9443dc5702693b60854c92
 F src/select.c 9886d6669f5787471aab6ae52af76fad90b53edb1c218fc9ed9d953363bc5184
 F src/shell.c.in 458cb3de9d548342fc645b699620b1af3de770d2ceec09ac71f86c19bd244064
-F src/sqlite.h.in 46052b3bcab8d34387bbe9ae4f49da9c2e05f19188bbd15a1c05abd895b56b23
+F src/sqlite.h.in bdb10b78166f5b735318667eb16c84ac90d9e0de88cc25c193eeb4379a126945
 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
 F src/sqlite3ext.h c4b9fa7a7e2bcdf850cfeb4b8a91d5ec47b7a00033bc996fd2ee96cbf2741f5f
 F src/sqliteInt.h 2c24ba38f78e32fe5d7ec136321a6ad827698b33ca98664970a8b7274d69ef7c
@ -1388,7 +1388,7 @@ F test/pcache2.test af7f3deb1a819f77a6d0d81534e97d1cf62cd442
 F test/percentile.test 4243af26b8f3f4555abe166f723715a1f74c77ff
 F test/permutations.test 3e0d6eea70e5087f3240b1a2fe621b0c73445f38a262029f0a1d2d89564026f7
 F test/pg_common.tcl 3b27542224db1e713ae387459b5d117c836a5f6e328846922993b6d2b7640d9f
-F test/pragma.test cae534c12a033a5c319ccc94f50b32811acdef9f67bf19a82ff42697caccd69f
+F test/pragma.test 620622fb0815f1cbea8e26e1d8abad38e0cbcbed8927fd84048fe9fd6239e323
 F test/pragma2.test e5d5c176360c321344249354c0c16aec46214c9f
 F test/pragma3.test 92a46bbea12322dd94a404f49edcfbfc913a2c98115f0d030a7459bb4712ef31
 F test/pragma4.test ca5e4dfc46adfe490f75d73734f70349d95a199e6510973899e502eef2c8b1f8
@ -2055,8 +2055,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 8daf24ff73dd9928057412e0e4c2e2b2e47e1dca66acfb6b07c846e8d97582cc
-R 04ffbe7f24cddf4f03c02f462fa8206c
+P b7179efbdb2bdc878acec0abfe272821f7e0d7d9e5ef06cd7fd796ef295e54ab
+R 1ae1e1e0e2d3eaf2b1386dd814d281df
 U drh
-Z fb89e7a00a9caa7fe7a2edc92e6dface
+Z a3334ad40cf4fd00431bfdbdbeacf669
 # Remove this line to create a well-formed Fossil manifest.
--- a/manifest.uuid
+++ b/manifest.uuid
@ -1 +1 @@
-b7179efbdb2bdc878acec0abfe272821f7e0d7d9e5ef06cd7fd796ef295e54ab
+1d81381e8f5db5d7064cc313b8544ca3cb1ca9e8cd61e71368a2d2e598befc9c
--- a/src/pragma.c
+++ b/src/pragma.c
@ -2170,6 +2170,11 @@ void sqlite3Pragma(
      aOp[1].p2 = iCookie;
      aOp[1].p3 = sqlite3Atoi(zRight);
      aOp[1].p5 = 1;
+      if( iCookie==BTREE_SCHEMA_VERSION && (db->flags & SQLITE_Defensive)!=0 ){
+        /* Do not allow the use of PRAGMA schema_version=VALUE in defensive
+        ** mode.  Change the OP_SetCookie opcode into a no-op.  */
+        aOp[1].opcode = OP_Noop;
+      }
    }else{
      /* Read the specified cookie value */
      static const VdbeOpList readCookie[] = {
--- a/src/sqlite.h.in
+++ b/src/sqlite.h.in
@ -2339,6 +2339,7 @@ struct sqlite3_mem_methods {
 ** <ul>
 ** <li> The [PRAGMA writable_schema=ON] statement.
 ** <li> The [PRAGMA journal_mode=OFF] statement.
+** <li> The [PRAGMA schema_version=N] statement.
 ** <li> Writes to the [sqlite_dbpage] virtual table.
 ** <li> Direct writes to [shadow tables].
 ** </ul>
--- a/test/pragma.test
+++ b/test/pragma.test
@ -904,15 +904,15 @@ do_test pragma-8.1.2 {
    PRAGMA schema_version;
  }
 } {schema_version 105}
-do_test pragma-8.1.3 {
-  execsql {
-    PRAGMA schema_version = 106;
-  }
-} {}
-do_test pragma-8.1.4 {
-  execsql {
-    PRAGMA schema_version;
-  }
+sqlite3_db_config db DEFENSIVE 1
+do_execsql_test pragma-8.1.3 {
+  PRAGMA schema_version = 106;
+  PRAGMA schema_version;
+} 105
+sqlite3_db_config db DEFENSIVE 0
+do_execsql_test pragma-8.1.4 {
+  PRAGMA schema_version = 106;
+  PRAGMA schema_version;
 } 106

 # Check that creating a table modifies the schema-version (this is really