The ability to load extensions is turned off by default. It must be

enabled by calling sqlite3_enable_load_extension() before it will work. This prevents security problems in legacy applications. Ticket #1863. (CVS 3311) FossilOrigin-Name: 4692319ccf28b0ebe64d5c5d189f444034fe0cb2
2025-07-29 08:01:23 +03:00 · 2006-06-27 15:16:14 +00:00
parent 69dab1d33f
commit c2e87a3e85
8 changed files with 145 additions and 39 deletions
--- a/test/loadext.test
+++ b/test/loadext.test
@ -11,7 +11,7 @@
 # This file implements regression tests for SQLite library.  The
 # focus of this script is in-memory database backend.
 #
-# $Id: loadext.test,v 1.4 2006/06/26 21:35:46 drh Exp $
+# $Id: loadext.test,v 1.5 2006/06/27 15:16:16 drh Exp $

 set testdir [file dirname $argv0]
 source $testdir/tester.tcl
@ -50,6 +50,7 @@ do_test loadext-1.1 {
  }
 } {1 {no such function: half}}
 do_test loadext-1.2 {
+  sqlite3_enable_load_extension db 1
  sqlite3_load_extension db $testextension testloadext_init
  catchsql {
    SELECT half(1.0);
@ -60,6 +61,7 @@ do_test loadext-1.2 {
 #
 do_test loadext-1.3 {
  sqlite3 db2 test.db
+  sqlite3_enable_load_extension db2 1
  catchsql {
    SELECT half(1.0);
  } db2
@ -83,6 +85,7 @@ do_test loadext-1.5 {

 db2 close
 sqlite3 db test.db
+sqlite3_enable_load_extension db 1

 # Try to load an extension for which the file does not exist.
 #
@ -136,6 +139,7 @@ do_test loadext-2.4 {

 db close
 sqlite3 db test.db
+sqlite3_enable_load_extension db 1
 do_test loadext-3.1 {
  catchsql {
    SELECT half(5);
@ -158,4 +162,31 @@ do_test loadext-3.4 {
  }
 } {0 2.5}

+# Ticket #1863
+# Make sure the extension loading mechanism will not work unless it
+# is explicitly enabled.
+#
+db close
+sqlite3 db test.db
+do_test loadext-4.1 {
+  catchsql {
+    SELECT load_extension($::testextension,'testloadext_init')
+  }
+} {1 {not authorized}}
+do_test loadext-4.2 {
+  sqlite3_enable_load_extension db 1
+  catchsql {
+    SELECT load_extension($::testextension,'testloadext_init')
+  }
+} {0 {{}}}
+
+do_test loadext-4.3 {
+  sqlite3_enable_load_extension db 0
+  catchsql {
+    SELECT load_extension($::testextension,'testloadext_init')
+  }
+} {1 {not authorized}}
+
+
+
 finish_test