[New-bugs-announce] [issue43434] sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks
Erlend Egeberg Aasland
report at bugs.python.org
Mon Mar 8 07:53:59 EST 2021
New submission from Erlend Egeberg Aasland <erlend.aasland at innova.no>:
The module level connect method is guarded by PySys_Audit(), but sqlite3.Connection.__init__() is not. It is possible to bypass the module level connect() method simply by creating a new sqlite3.Connection object directly.
Easily fixed by either moving the PySys_Audit() check to pysqlite_connection_init(), or by adding an extra check in pysqlite_connection_init().
>>> import sqlite3, sys
>>> def hook(s, e):
... if s == 'sqlite3.connect':
... raise PermissionError
...
>>> sys.addaudithook(hook)
>>> sqlite3.connect(':memory:')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<stdin>", line 3, in hook
PermissionError
>>> sqlite3.Connection(':memory:')
<sqlite3.Connection object at 0x7f94b0157a80>
----------
components: Library (Lib)
files: audit.py
messages: 388264
nosy: berker.peksag, erlendaasland, steve.dower
priority: normal
severity: normal
status: open
title: sqlite3.Connection(...) bypasses 'sqlite3.connect' audit hooks
type: security
versions: Python 3.10, Python 3.8, Python 3.9
Added file: https://bugs.python.org/file49857/audit.py
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43434>
_______________________________________
More information about the New-bugs-announce
mailing list