Limit CLI input redirect nesting

FossilOrigin-Name: 7a073931752d16ba71f1a606091461e427ca5ccf4d135d3c5141bfdd4e67e2d5

manifest

@@ -1,5 +1,5 @@
-C Add\ssupport\sfor\sthe\ssqlite3_vtab_distinct()\sinterface.\s\sVirtual\stable\nimplementations\scan\suse\sthis\sAPI\sto\sdetermine\smore\sdetail\sabout\sthe\sordering\nrequirements\sneeded\sby\sthe\squery\splan\sand\sperhaps\sreduce\sthe\samount\sof\nwork\srequired\sto\scompute\sa\scorrect\sanswer.\s\sThis\sis\san\soptimization\nopportunity\sfor\sthe\svirtual\stable\simplementation.\s\sThe\scorrect\sanswer\sshould\nstill\sbe\sobtained\s(though\sperhaps\smore\sslowly)\seven\sif\ssqlite3_vtab_distinct()\nis\signored.
-D 2022-01-22T22:28:32.461
+C Limit\sCLI\sinput\sredirect\snesting
+D 2022-01-24T06:36:16.156
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -553,7 +553,7 @@ F src/random.c 097dc8b31b8fba5a9aca1697aeb9fd82078ec91be734c16bffda620ced7ab83c
 F src/resolve.c 359bc0e445d427583d2ab6110433a5dc777f64a0ecdf8d24826d8b475233ead9
 F src/rowset.c ba9515a922af32abe1f7d39406b9d35730ed65efab9443dc5702693b60854c92
 F src/select.c ab5717255420972e69b9b9ce4d1c4730fe82cfbdc14b7743e389a8bdb79ca027
-F src/shell.c.in 4690f216dc4da0c104a8fd9f9e12bec0483242e630324aa7a3ccd155922e346e
+F src/shell.c.in e80a140e92e342e2f92d405a77155c8e3a67c9b1d0bdbacb92885960cd4fc8f2
 F src/sqlite.h.in 31c2c8d737814369bd3b71f3849c4a97ef7ede0aa3ce976ecb11632fa5f1f863
 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
 F src/sqlite3ext.h 5d54cf13d3406d8eb65d921a0d3c349de6126b732e695e79ecd4830ce86b4f8a
@@ -1388,7 +1388,7 @@ F test/sharedlock.test 5ede3c37439067c43b0198f580fd374ebf15d304
 F test/shell1.test 70f46b5d07776a107335c3c2c9cbd0431d44637bfeae1f6b9ded5e33b4c7c0bf
 F test/shell2.test f00a0501c00583cbc46f7510e1d713366326b2b3e63d06d15937284171a8787c
 F test/shell3.test cb4b835a901742c9719437a89171172ecc4a8823ad97349af8e4e841e6f82566
-F test/shell4.test 3ed6c4b42fd695efcbc25d69ef759dbb15855ca8e52ba6c5ee076f8b435f48be
+F test/shell4.test 8427e08751d4b16100fadb29f109cc1b8cce5c3858bdf34837c6e3b35fbbfee7
 F test/shell5.test b85069bfcf3159b225228629ab2c3e69aa923d098fea8ea074b5dcd743522e2c
 F test/shell6.test 1ceb51b2678c472ba6cf1e5da96679ce8347889fe2c3bf93a0e0fa73f00b00d3
 F test/shell7.test 115132f66d0463417f408562cc2cf534f6bbc6d83a6d50f0072a9eb171bae97f
@@ -1941,9 +1941,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 19247e919fab9748cae561cb12c4c3c106064390a37e32e724d9a9066cfaff8e 4289edf3c5e32a05b51f232020099b33f6f5e79b0ceca2b96baf1186168d9af6
-R 8c92b45cd50ac9ababc3056da5861966
-T +closed 4289edf3c5e32a05b51f232020099b33f6f5e79b0ceca2b96baf1186168d9af6
-U drh
-Z 550b4c112b6ad484a8ff339f5683365a
+P e4caf1e3932b1bd0dea072df7fc9458aed98c84ea397b6948b89292603949c41
+R 3ff059f17b79f35a7110343334a8c695
+U larrybr
+Z 22bca9d238f29be7cbeeb6418fbc3f83
 # Remove this line to create a well-formed Fossil manifest.

manifest.uuid

@@ -1 +1 @@
-e4caf1e3932b1bd0dea072df7fc9458aed98c84ea397b6948b89292603949c41
+7a073931752d16ba71f1a606091461e427ca5ccf4d135d3c5141bfdd4e67e2d5

src/shell.c.in

@@ -1086,6 +1086,7 @@ struct ShellState {
   u8 bSafeModePersist;   /* The long-term value of bSafeMode */
   unsigned statsOn;      /* True to display memory stats before each finalize */
   unsigned mEqpLines;    /* Mask of veritical lines in the EQP output graph */
+  int inputNesting;      /* Track nesting level of .read and other redirects */
   int outCount;          /* Revert to stdout when reaching zero */
   int cnt;               /* Number of records displayed so far */
   int lineno;            /* Line number of last line read from in */
@@ -1250,6 +1251,12 @@ static const char *modeDescr[] = {
 #define SEP_Unit      "\x1F"
 #define SEP_Record    "\x1E"
 
+/*
+** Limit input nesting via .read or any other input redirect.
+** It's not too expensive, so a generous allowance can be made.
+*/
+#define MAX_INPUT_NESTING 25
+
 /*
 ** A callback for the sqlite3_log() interface.
 */
@@ -10940,6 +10947,13 @@ static int process_input(ShellState *p){
   int startline = 0;        /* Line number for start of current input */
   QuickScanState qss = QSS_Start; /* Accumulated line status (so far) */
 
+  if( p->inputNesting==MAX_INPUT_NESTING ){
+    /* This will be more informative in a later version. */
+    utf8_printf(stderr,"Input nesting limit (%d) reached at line %d."
+                " Check recursion.\n", MAX_INPUT_NESTING, p->lineno);
+    return 1;
+  }
+  ++p->inputNesting;
   p->lineno = 0;
   while( errCnt==0 || !bail_on_error || (p->in==0 && stdin_is_interactive) ){
     fflush(p->out);
@@ -11022,6 +11036,7 @@ static int process_input(ShellState *p){
   }
   free(zSql);
   free(zLine);
+  --p->inputNesting;
   return errCnt>0;
 }
 

test/shell4.test

@@ -19,6 +19,7 @@
 #   shell4-1.*: Basic tests specific to the "stats" command.
 #   shell4-2.*: Basic tests for ".trace"
 #   shell4-3.*: The ".read" command takes the shell out of interactive mode
+#   shell4-4.*: Input redirects cannot recurse too much
 #
 set testdir [file dirname $argv0]
 source $testdir/tester.tcl
@@ -138,4 +139,11 @@ do_test shell4-3.2 {
   exec $::CLI :memory: --interactive ".read t1.txt"
 } {pound: £}
 
+do_test shell4-4.1 {
+  set fd [open t1.txt wb]
+  puts $fd ".read t1.txt"
+  close $fd
+  catchcmd ":memory:" ".read t1.txt"
+} {1 {Input nesting limit (25) reached at line 1. Watch recursion.}}
+
 finish_test