[Python-checkins] cpython (merge 3.4 -> default): Issue #21147: sqlite3 now raises an exception if the request contains a null

Thu Sep 11 12:33:42 CEST 2014

http://hg.python.org/cpython/rev/b81f5652c2d7
changeset:   92403:b81f5652c2d7
parent:      92400:ff4b9d654691
parent:      92402:517f216d45ea
user:        Serhiy Storchaka <storchaka at gmail.com>
date:        Thu Sep 11 13:30:48 2014 +0300
summary:
  Issue #21147: sqlite3 now raises an exception if the request contains a null
character instead of truncate it.  Based on patch by Victor Stinner.

files:
  Lib/sqlite3/test/regression.py |  10 ++++++++++
  Misc/NEWS                      |   3 +++
  Modules/_sqlite/connection.c   |   3 ++-
  Modules/_sqlite/statement.c    |   4 ++++
  4 files changed, 19 insertions(+), 1 deletions(-)

diff --git a/Lib/sqlite3/test/regression.py b/Lib/sqlite3/test/regression.py
--- a/Lib/sqlite3/test/regression.py
+++ b/Lib/sqlite3/test/regression.py
@@ -336,6 +336,16 @@
                           sqlite.connect, ":memory:", isolation_level=123)
 
 
+    def CheckNullCharacter(self):
+        # Issue #21147
+        con = sqlite.connect(":memory:")
+        self.assertRaises(ValueError, con, "\0select 1")
+        self.assertRaises(ValueError, con, "select 1\0")
+        cur = con.cursor()
+        self.assertRaises(ValueError, cur.execute, " \0select 2")
+        self.assertRaises(ValueError, cur.execute, "select 2\0")
+
+
 def suite():
     regression_suite = unittest.makeSuite(RegressionTests, "Check")
     return unittest.TestSuite((regression_suite,))
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -132,6 +132,9 @@
 Library
 -------
 
+- Issue #21147: sqlite3 now raises an exception if the request contains a null
+  character instead of truncate it.  Based on patch by Victor Stinner.
+
 - Issue #13968: The glob module now supports recursive search in
   subdirectories using the "**" pattern.
 
diff --git a/Modules/_sqlite/connection.c b/Modules/_sqlite/connection.c
--- a/Modules/_sqlite/connection.c
+++ b/Modules/_sqlite/connection.c
@@ -1261,7 +1261,8 @@
         if (rc == PYSQLITE_TOO_MUCH_SQL) {
             PyErr_SetString(pysqlite_Warning, "You can only execute one statement at a time.");
         } else if (rc == PYSQLITE_SQL_WRONG_TYPE) {
-            PyErr_SetString(pysqlite_Warning, "SQL is of wrong type. Must be string or unicode.");
+            if (PyErr_ExceptionMatches(PyExc_TypeError))
+                PyErr_SetString(pysqlite_Warning, "SQL is of wrong type. Must be string.");
         } else {
             (void)pysqlite_statement_reset(statement);
             _pysqlite_seterror(self->db, NULL);
diff --git a/Modules/_sqlite/statement.c b/Modules/_sqlite/statement.c
--- a/Modules/_sqlite/statement.c
+++ b/Modules/_sqlite/statement.c
@@ -63,6 +63,10 @@
         rc = PYSQLITE_SQL_WRONG_TYPE;
         return rc;
     }
+    if (strlen(sql_cstr) != (size_t)sql_cstr_len) {
+        PyErr_SetString(PyExc_ValueError, "the query contains a null character");
+        return PYSQLITE_SQL_WRONG_TYPE;
+    }
 
     self->in_weakreflist = NULL;
     Py_INCREF(sql);

-- 
Repository URL: http://hg.python.org/cpython
