Refactor names of flags for improved legibility.

FossilOrigin-Name: 411e8ec2219bb4181aaf2209fb1e7baf5e8df8b8c8adb82a69b48cf7e8e7e7d4

manifest

@@ -1,5 +1,5 @@
-C Refactor\sthe\snames\sof\sthe\snew\scontrols\sfor\srestricting\swhat\sactions\sthe\sschema\ncan\stake\sbehind\sthe\sapplication's\sback.
+C Refactor\snames\sof\sflags\sfor\simproved\slegibility.
-D 2020-01-04T20:58:41.624
+D 2020-01-06T15:25:41.454
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -464,7 +464,7 @@ F sqlite3.1 fc7ad8990fc8409983309bb80de8c811a7506786
 F sqlite3.pc.in 48fed132e7cb71ab676105d2a4dc77127d8c1f3a
 F src/alter.c f48a4423c8f198d7f1ae4940f74b606707d05384ac79fb219be8e3323af2a2de
 F src/analyze.c b3ceec3fc052df8a96ca8a8c858d455dc5029ba681b4be98bb5c5a9162cfa58c
-F src/attach.c b30c44333d55a68c0a12920b5b9d40b254cbd3d4509bda77417209eeed8b3d80
+F src/attach.c df0ead9091042c68964856ecc08dba55d5403ad5f3ca865d9d396d71528c511a
 F src/auth.c a3d5bfdba83d25abed1013a8c7a5f204e2e29b0c25242a56bc02bb0c07bf1e06
 F src/backup.c f70077d40c08b7787bfe934e4d1da8030cb0cc57d46b345fba2294b7d1be23ab
 F src/bitvec.c 17ea48eff8ba979f1f5b04cc484c7bb2be632f33
@@ -492,7 +492,7 @@ F src/in-operator.md 10cd8f4bcd225a32518407c2fb2484089112fd71
 F src/insert.c 5ba8fd376f539240939ae76b5bc9fa7ad9a0d86e9914ecd11eb7002204138c11
 F src/legacy.c d7874bc885906868cd51e6c2156698f2754f02d9eee1bae2d687323c3ca8e5aa
 F src/loadext.c d74f5e7bd51f3c9d283442473eb65aef359664efd6513591c03f01881c4ae2da
-F src/main.c 372f764daf1fd8f86ea87a2eb285faaed891300682e9fa5a2fd75c3a3e6c5af7
+F src/main.c 1505cc36860dcbfbe62579de97637b0d757282b810ead96095b8ca6be2e13c4b
 F src/malloc.c eaa4dc9602ce28b077f7de2eb275db2be270c5cc56d7fec5466301bd9b80e2f5
 F src/mem0.c 6a55ebe57c46ca1a7d98da93aaa07f99f1059645
 F src/mem1.c c12a42539b1ba105e3707d0e628ad70e611040d8f5e38cf942cee30c867083de
@@ -526,14 +526,14 @@ F src/pragma.h 5bbfafd74cf085762b64e4e2b00242917951b30468e380bddd8be6c21789aec2
 F src/prepare.c 6049beb71385f017af6fc320d2c75a4e50b75e280c54232442b785fbb83df057
 F src/printf.c 9be6945837c839ba57837b4bc3af349eba630920fa5532aa518816defe42a7d4
 F src/random.c 80f5d666f23feb3e6665a6ce04c7197212a88384
-F src/resolve.c d368864894450413a78ab5381eea7f6deb2f1f7b10c7e6ca20cb345e5a7b9281
+F src/resolve.c f35aa580fd29a9213f43bc267f486bb26430352bf78d1ceef4a4c9735b4c9d24
 F src/rowset.c d977b011993aaea002cab3e0bb2ce50cf346000dff94e944d547b989f4b1fe93
 F src/select.c 64bf450dc0f2b37be8d2be6ff7d25a70de37ef6fb64527c68f767fe9fe47bc55
-F src/shell.c.in 0fcf24b526e35eb2e02212e2504b695f79992ccc69b8be0f841276abea037008
+F src/shell.c.in 6893d5b8d598aa59457c1490b8c9970c9b8d19d5f37951b3f831a0cd5f45a57c
-F src/sqlite.h.in 600fd6093a03112831e2658daac299d2a803ffcd3d7f4f6b091a447f79b4d6c2
+F src/sqlite.h.in b2dc8fc4db9496b3b9c06d68026d83976e9b76afc8b53d16aadb68f3e5cc3ca0
 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
 F src/sqlite3ext.h 72af51aa4e912e14cd495fb6e7fac65f0940db80ed950d90911aff292cc47ce2
-F src/sqliteInt.h 002066fa9a7ea1dacdca6f395968d4eed0fcf2978ac1f7528c61cb6e65f52e6e
+F src/sqliteInt.h badbde0a53c2fb8311d7cd7f177a7bef70002658daa61d3effcaef365adb5f4b
 F src/sqliteLimit.h 1513bfb7b20378aa0041e7022d04acb73525de35b80b252f1b83fedb4de6a76b
 F src/status.c 9ff2210207c6c3b4d9631a8241a7d45ab1b26a0e9c84cb07a9b5ce2de9a3b278
 F src/table.c b46ad567748f24a326d9de40e5b9659f96ffff34
@@ -609,7 +609,7 @@ F src/vdbeblob.c 253ed82894924c362a7fa3079551d3554cd1cdace39aa833da77d3bc67e7c1b
 F src/vdbemem.c 05668cc1b44845736784f1ce9da46403dbf202c7c6d1a02205285cfc30e78f0d
 F src/vdbesort.c a3be032cc3fee0e3af31773af4a7a6f931b7230a34f53282ccf1d9a2a72343be
 F src/vdbetrace.c fa3bf238002f0bbbdfb66cc8afb0cea284ff9f148d6439bc1f6f2b4c3b7143f0
-F src/vtab.c a2fead3e97fca54fcf3f3db784e17c9ee2d39a0c5ad323e9d514855106300a86
+F src/vtab.c 7b704a90515a239c6cdba6a66b1bb3a385e62326cceb5ecb05ec7a091d6b8515
 F src/vxworks.h d2988f4e5a61a4dfe82c6524dd3d6e4f2ce3cdb9
 F src/wal.c 15a2845769f51ba132f9cf0b2c7a6887a91fc8437892dbcce9fcdc68b66d60a1
 F src/wal.h 606292549f5a7be50b6227bd685fa76e3a4affad71bb8ac5ce4cb5c79f6a176a
@@ -1853,7 +1853,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 7a8d7ca726666f4384925f959df0d58f7622229e06f1b5e643a3caccd539bb6e
+P 65d7d39a858c51ffd781f5a6335e029895e597aeb1e1ccdadea8ce79c8ad412f
-R f9fb8a85043cff3871f686f554fff1c5
+R fb33b89473d770b763bebc42b1cd394c
 U drh
-Z 2b34921532ba1ddcc3f837ba912e08b2
+Z 6124e43a4879e0631853de887c7788db

manifest.uuid

@@ -1 +1 @@
-65d7d39a858c51ffd781f5a6335e029895e597aeb1e1ccdadea8ce79c8ad412f
+411e8ec2219bb4181aaf2209fb1e7baf5e8df8b8c8adb82a69b48cf7e8e7e7d4

src/attach.c

@@ -477,7 +477,7 @@ void sqlite3FixInit(
   pFix->pSchema = db->aDb[iDb].pSchema;
   pFix->zType = zType;
   pFix->pName = pName;
-  pFix->bVarOnly = (iDb==1);
+  pFix->bTemp = (iDb==1);
 }
 
 /*
@@ -505,7 +505,7 @@ int sqlite3FixSrcList(
   if( NEVER(pList==0) ) return 0;
   zDb = pFix->zDb;
   for(i=0, pItem=pList->a; i<pList->nSrc; i++, pItem++){
-    if( pFix->bVarOnly==0 ){
+    if( pFix->bTemp==0 ){
       if( pItem->zDatabase && sqlite3StrICmp(pItem->zDatabase, zDb) ){
         sqlite3ErrorMsg(pFix->pParse,
             "%s %T cannot reference objects in database %s",
@@ -515,6 +515,7 @@ int sqlite3FixSrcList(
       sqlite3DbFree(pFix->pParse->db, pItem->zDatabase);
       pItem->zDatabase = 0;
       pItem->pSchema = pFix->pSchema;
+      pItem->fg.fromDDL = 1;
     }
 #if !defined(SQLITE_OMIT_VIEW) || !defined(SQLITE_OMIT_TRIGGER)
     if( sqlite3FixSelect(pFix, pItem->pSelect) ) return 1;
@@ -570,7 +571,7 @@ int sqlite3FixExpr(
   Expr *pExpr        /* The expression to be fixed to one database */
 ){
   while( pExpr ){
-    ExprSetProperty(pExpr, EP_Indirect);
+    if( !pFix->bTemp ) ExprSetProperty(pExpr, EP_FromDDL);
     if( pExpr->op==TK_VARIABLE ){
       if( pFix->pParse->db->init.busy ){
         pExpr->op = TK_NULL;

src/main.c

@@ -887,7 +887,7 @@ int sqlite3_db_config(sqlite3 *db, int op, ...){
         { SQLITE_DBCONFIG_DQS_DDL,               SQLITE_DqsDDL         },
         { SQLITE_DBCONFIG_DQS_DML,               SQLITE_DqsDML         },
         { SQLITE_DBCONFIG_LEGACY_FILE_FORMAT,    SQLITE_LegacyFileFmt  },
-        { SQLITE_DBCONFIG_ENABLE_UNSAFE_DDL,     SQLITE_UnsafeDDL      },
+        { SQLITE_DBCONFIG_UNTRUSTED_SCHEMA,      SQLITE_UnsafeSchema   },
       };
       unsigned int i;
       rc = SQLITE_ERROR; /* IMP: R-42790-23372 */
@@ -3127,7 +3127,6 @@ static int openDatabase(
                  | SQLITE_EnableTrigger
                  | SQLITE_EnableView
                  | SQLITE_CacheSpill
-                 | SQLITE_UnsafeDDL
 
 /* The SQLITE_DQS compile-time option determines the default settings
 ** for SQLITE_DBCONFIG_DQS_DDL and SQLITE_DBCONFIG_DQS_DML.

src/resolve.c

@@ -887,17 +887,18 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){
           pDef = 0;
         }else
         if( (pDef->funcFlags & (SQLITE_FUNC_DIRECT|SQLITE_FUNC_UNSAFE))!=0
-         && ExprHasProperty(pExpr, EP_Indirect)
+         && ExprHasProperty(pExpr, EP_FromDDL)
          && !IN_RENAME_OBJECT
         ){
           if( (pDef->funcFlags & SQLITE_FUNC_DIRECT)!=0
-           || (pParse->db->flags & SQLITE_UnsafeDDL)==0
+           || (pParse->db->flags & SQLITE_UnsafeSchema)!=0
           ){
             /* Functions prohibited in triggers and views if:
             **     (1) tagged with SQLITE_DIRECTONLY
             **     (2) not tagged with SQLITE_INNOCUOUS (which means it
             **         is tagged with SQLITE_FUNC_UNSAFE) and 
-            **         SQLITE_DBCONFIG_ENABLE_UNSAFE_DDL is off
+            **         SQLITE_DBCONFIG_UNTRUSTED_SCHEMA is off (meaning
+            **         that the schema is fully trustworthy).
             */
             sqlite3ErrorMsg(pParse, "%s() prohibited in triggers and views",
                             pDef->zName);

src/shell.c.in

@@ -7165,7 +7165,6 @@ static int do_meta_command(char *zLine, ShellState *p){
         { "enable_fkey",        SQLITE_DBCONFIG_ENABLE_FKEY           },
         { "enable_qpsg",        SQLITE_DBCONFIG_ENABLE_QPSG           },
         { "enable_trigger",     SQLITE_DBCONFIG_ENABLE_TRIGGER        },
-        { "enable_unsafe_ddl",  SQLITE_DBCONFIG_ENABLE_UNSAFE_DDL     },
         { "enable_view",        SQLITE_DBCONFIG_ENABLE_VIEW           },
         { "fts3_tokenizer",     SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER },
         { "legacy_alter_table", SQLITE_DBCONFIG_LEGACY_ALTER_TABLE    },
@@ -7174,6 +7173,7 @@ static int do_meta_command(char *zLine, ShellState *p){
         { "no_ckpt_on_close",   SQLITE_DBCONFIG_NO_CKPT_ON_CLOSE      },
         { "reset_database",     SQLITE_DBCONFIG_RESET_DATABASE        },
         { "trigger_eqp",        SQLITE_DBCONFIG_TRIGGER_EQP           },
+        { "untrusted_schema",   SQLITE_DBCONFIG_UNTRUSTED_SCHEMA      },
         { "writable_schema",    SQLITE_DBCONFIG_WRITABLE_SCHEMA       },
     };
     int ii, v;

src/sqlite.h.in

@@ -2265,19 +2265,24 @@ struct sqlite3_mem_methods {
 ** compile-time option.
 ** </dd>
 **
-** [[SQLITE_DBCONFIG_INDIRECT_UNSAFE]]
+** [[SQLITE_DBCONFIG_UNTRUSTED_SCHEMA]]
-** <dt>SQLITE_DBCONFIG_INDIRECT_UNSAFE</td>
+** <dt>SQLITE_DBCONFIG_UNTRUSTED_SCHEMA</td>
-** <dd>The SQLITE_DBCONFIG_INDIRECT_UNSAFE option activates or deactivates
+** <dd>The SQLITE_DBCONFIG_UNTRUSTED_SCHEMA option tells the SQLite 
-** the ability to use "unsafe" SQL functions and virtual tables in the
+** database connection that the schemas of the database files it reads
-** schema of the database.  Using an SQL function or virtual table "in the
+** might contain malicious corruption intended to harm the application.
-** schema" means using the rsource in a
+** When the SQLITE_DBCONFIG_UNTRUSTED_SCHEMA option is enabled, SQLite
-** trigger, view, CHECK constraint, INDEX definition, generated column,
+** takes additional defensive steps including, but not limited to, the
-** default value, or in any other context that is part of the DDL for the
+** following:
-** database file.  "Unsafe" SQL functions are SQL functions that are not
+** <ul>
-** tagged with [SQLITE_INNOCUOUS]. 
+** <li> Prohibit the use of SQL functions inside triggers, views,
-** <p>For legacy compatibility, the SQLITE_DBCONFIG_INDIRECT_UNSAFE setting
+** CHECK constraints, DEFAULT VALUEs, index definitions, and/or
-** defaults to "on". Applications that are operating on untrusted database
+** generated columns unless those functions are tagged
-** files are advised to change this setting to "off".
+** with [SQLITE_INNOCUOUS].
+** <li> Pohibit the use of virtual tables inside of triggers and/or views
+** unless those virtual tables are tagged with [SQLITE_VTAB_INNOCUOUS].
+** </ul>
+** This setting defaults to "off" for legacy compatibility, however
+** all applications are advised to turn it on if possible.
 ** </dd>
 **
 ** [[SQLITE_DBCONFIG_LEGACY_FILE_FORMAT]]
@@ -2320,7 +2325,7 @@ struct sqlite3_mem_methods {
 #define SQLITE_DBCONFIG_DQS_DDL               1014 /* int int* */
 #define SQLITE_DBCONFIG_ENABLE_VIEW           1015 /* int int* */
 #define SQLITE_DBCONFIG_LEGACY_FILE_FORMAT    1016 /* int int* */
-#define SQLITE_DBCONFIG_ENABLE_UNSAFE_DDL     1017 /* int int* */
+#define SQLITE_DBCONFIG_UNTRUSTED_SCHEMA      1017 /* int int* */
 #define SQLITE_DBCONFIG_MAX                   1017 /* Largest DBCONFIG */
 
 /*
@@ -8899,7 +8904,7 @@ int sqlite3_vtab_config(sqlite3*, int op, ...);
 **
 ** <dl>
 ** [[SQLITE_VTAB_CONSTRAINT_SUPPORT]]
-** <dt>SQLITE_VTAB_CONSTRAINT_SUPPORT
+** <dt>SQLITE_VTAB_CONSTRAINT_SUPPORT</dt>
 ** <dd>Calls of the form
 ** [sqlite3_vtab_config](db,SQLITE_VTAB_CONSTRAINT_SUPPORT,X) are supported,
 ** where X is an integer.  If X is zero, then the [virtual table] whose
@@ -8928,9 +8933,31 @@ int sqlite3_vtab_config(sqlite3*, int op, ...);
 ** return SQLITE_OK. Or, if this is not possible, it may return
 ** SQLITE_CONSTRAINT, in which case SQLite falls back to OR ABORT 
 ** constraint handling.
+** </dd>
+**
+** [[SQLITE_VTAB_INNOCUOUS]]<dt>SQLITE_VTAB_INNOCUOUS</dt>
+** <dd>Calls of the form
+** [sqlite3_vtab_config](db,SQLITE_VTAB_INNOCUOUS) from within the
+** the [xConnect] or [xCreate] methods of a [virtual table] implmentation
+** identify that virtual table as being safe to use from within triggers
+** and views.  Conceptually, the SQLITE_VTAB_INNOCUOUS tag means that the
+** virtual table can do no serious harm even if it is controlled by a
+** malicious hacker.  Developers should avoid setting the SQLITE_VTAB_INNOCUOUS
+** flag unless absolutely necessary.
+** </dd>
+**
+** [[SQLITE_VTAB_DIRECTONLY]]<dt>SQLITE_VTAB_DIRECTONLY</dt>
+** <dd>Calls of the form
+** [sqlite3_vtab_config](db,SQLITE_VTAB_DIRECTONLY) from within the
+** the [xConnect] or [xCreate] methods of a [virtual table] implmentation
+** prohibits that virtual table from being used from within triggers and
+** views.
+** </dd>
 ** </dl>
 */
 #define SQLITE_VTAB_CONSTRAINT_SUPPORT 1
+#define SQLITE_VTAB_INNOCUOUS          2
+#define SQLITE_VTAB_DIRECTONLY         3
 
 /*
 ** CAPI3REF: Determine The Virtual Table Conflict Policy

src/sqliteInt.h

@@ -1581,8 +1581,8 @@ struct sqlite3 {
 #define SQLITE_CkptFullFSync  0x00000010  /* Use full fsync for checkpoint */
 #define SQLITE_CacheSpill     0x00000020  /* OK to spill pager cache */
 #define SQLITE_ShortColNames  0x00000040  /* Show short columns names */
-#define SQLITE_UnsafeDDL      0x00000080  /* Allow unsafe functions and vtabs
+#define SQLITE_UnsafeSchema   0x00000080  /* Disallow unsafe functions and
-                                          ** in the schema definition */
+                                          ** vtabs in the schema definition */
 #define SQLITE_NullCallback   0x00000100  /* Invoke the callback once if the */
                                           /*   result set is empty */
 #define SQLITE_IgnoreChecks   0x00000200  /* Do not enforce check constraints */
@@ -2067,10 +2067,17 @@ struct VTable {
   sqlite3_vtab *pVtab;      /* Pointer to vtab instance */
   int nRef;                 /* Number of pointers to this structure */
   u8 bConstraint;           /* True if constraints are supported */
+  u8 eVtabRisk;             /* Riskiness of allowing hacker access */
   int iSavepoint;           /* Depth of the SAVEPOINT stack */
   VTable *pNext;            /* Next in linked list (see above) */
 };
 
+/* Allowed values for VTable.eVtabRisk
+*/
+#define SQLITE_VTABRISK_Low          0
+#define SQLITE_VTABRISK_Normal       1
+#define SQLITE_VTABRISK_High         2
+
 /*
 ** The schema for each SQL table and view is represented in memory
 ** by an instance of the following structure.
@@ -2671,7 +2678,7 @@ struct Expr {
 #define EP_Static    0x8000000 /* Held in memory not obtained from malloc() */
 #define EP_IsTrue   0x10000000 /* Always has boolean value of TRUE */
 #define EP_IsFalse  0x20000000 /* Always has boolean value of FALSE */
-#define EP_Indirect 0x40000000 /* Contained within a TRIGGER or a VIEW */
+#define EP_FromDDL  0x40000000 /* Originates from sqlite_master */
 
 /*
 ** The EP_Propagate mask is a set of properties that automatically propagate
@@ -2840,6 +2847,7 @@ struct SrcList {
       unsigned isCorrelated :1;  /* True if sub-query is correlated */
       unsigned viaCoroutine :1;  /* Implemented as a co-routine */
       unsigned isRecursive :1;   /* True for recursive reference in WITH */
+      unsigned fromDDL :1;       /* Comes from sqlite_master */
     } fg;
     int iCursor;      /* The VDBE cursor number used to access this table */
     Expr *pOn;        /* The ON clause of a join */
@@ -3515,7 +3523,7 @@ typedef struct DbFixer DbFixer;
 struct DbFixer {
   Parse *pParse;      /* The parsing context.  Error messages written here */
   Schema *pSchema;    /* Fix items to this schema */
-  int bVarOnly;       /* Check for variable references only */
+  u8 bTemp;           /* True for TEMP schema entries */
   const char *zDb;    /* Make sure all objects are contained in this database */
   const char *zType;  /* Type of the container - used for error messages */
   const Token *pName; /* Name of the container - used for error messages */

src/vtab.c

@@ -587,6 +587,7 @@ static int vtabCallConstructor(
   }
   pVTable->db = db;
   pVTable->pMod = pMod;
+  pVTable->eVtabRisk = SQLITE_VTABRISK_Normal;
 
   iDb = sqlite3SchemaToIndex(db, pTab->pSchema);
   pTab->azModuleArg[1] = db->aDb[iDb].zDbSName;
@@ -1276,28 +1277,38 @@ int sqlite3_vtab_on_conflict(sqlite3 *db){
 int sqlite3_vtab_config(sqlite3 *db, int op, ...){
   va_list ap;
   int rc = SQLITE_OK;
+  VtabCtx *p;
 
 #ifdef SQLITE_ENABLE_API_ARMOR
   if( !sqlite3SafetyCheckOk(db) ) return SQLITE_MISUSE_BKPT;
 #endif
   sqlite3_mutex_enter(db->mutex);
-  va_start(ap, op);
+  p = db->pVtabCtx;
-  switch( op ){
+  if( !p ){
-    case SQLITE_VTAB_CONSTRAINT_SUPPORT: {
+    rc = SQLITE_MISUSE_BKPT;
-      VtabCtx *p = db->pVtabCtx;
+  }else{
-      if( !p ){
+    assert( p->pTab==0 || IsVirtual(p->pTab) );
-        rc = SQLITE_MISUSE_BKPT;
+    va_start(ap, op);
-      }else{
+    switch( op ){
-        assert( p->pTab==0 || IsVirtual(p->pTab) );
+      case SQLITE_VTAB_CONSTRAINT_SUPPORT: {
         p->pVTable->bConstraint = (u8)va_arg(ap, int);
+        break;
+      }
+      case SQLITE_VTAB_INNOCUOUS: {
+        p->pVTable->eVtabRisk = SQLITE_VTABRISK_Low;
+        break;
+      }
+      case SQLITE_VTAB_DIRECTONLY: {
+        p->pVTable->eVtabRisk = SQLITE_VTABRISK_High;
+        break;
+      }
+      default: {
+        rc = SQLITE_MISUSE_BKPT;
+        break;
       }
-      break;
     }
-    default:
+    va_end(ap);
-      rc = SQLITE_MISUSE_BKPT;
-      break;
   }
-  va_end(ap);
 
   if( rc!=SQLITE_OK ) sqlite3Error(db, rc);
   sqlite3_mutex_leave(db->mutex);