Change the SQLITE_READ authorization call for unreferenced tables to use

an empty string for the column name, as this is less likely to impact legacy authorization callbacks that assume column names are always non-NULL. FossilOrigin-Name: 4139953ab528f20fa346409810edcb22adb6c1edc9d22f40b1b077ef842a2441
2025-11-12 13:01:09 +03:00 · 2017-05-11 12:05:23 +00:00
parent e694139788
commit 2336c935af
4 changed files with 21 additions and 13 deletions
--- a/src/select.c
+++ b/src/select.c
@@ -5124,15 +5124,23 @@ int sqlite3Select(
    SelectDest dest;
    Select *pSub;

-    /* Issue SQLITE_READ authorizations with a NULL column name for any tables that
+    /* Issue SQLITE_READ authorizations with a fake column name for any tables that
    ** are referenced but from which no values are extracted. Examples of where these
    ** kinds of null SQLITE_READ authorizations would occur:
    **
-    **     SELECT count(*) FROM t1;   -- SQLITE_READ t1 null
-    **     SELECT t1.* FROM t1, t2;   -- SQLITE_READ t2 null
+    **     SELECT count(*) FROM t1;   -- SQLITE_READ t1.""
+    **     SELECT t1.* FROM t1, t2;   -- SQLITE_READ t2.""
+    **
+    ** The fake column name is an empty string.  It is possible for a table to
+    ** have a column named by the empty string, in which case there is no way to
+    ** distinguish between an unreferenced table and an actual reference to the
+    ** "" column.  The original design was for the fake column name to be a NULL,
+    ** which would be unambiguous.  But legacy authorization callbacks might
+    ** assume the column name is non-NULL and segfault.  The use of an empty string
+    ** for the fake column name seems safer.
    */
    if( pItem->colUsed==0 ){
-      sqlite3AuthCheck(pParse, SQLITE_READ, pItem->zName, pItem->zDatabase, 0);
+      sqlite3AuthCheck(pParse, SQLITE_READ, pItem->zName, "", pItem->zDatabase);
    }

 #if !defined(SQLITE_OMIT_SUBQUERY) || !defined(SQLITE_OMIT_VIEW)