From b252b921f8b6eb6850ef70f716dee40654583598 Mon Sep 17 00:00:00 2001 From: Cory McWilliams Date: Fri, 25 Aug 2023 19:41:54 +0000 Subject: [PATCH] Call out restricted DB access when we acquire the reader. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4429 ed5197a5-7fde-0310-b194-c3ffbd925b24 --- src/ssb.c | 8 ++++++++ src/ssb.db.c | 4 +--- src/ssb.h | 1 + src/ssb.js.c | 4 +--- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/ssb.c b/src/ssb.c index e55ed935..e3163f3e 100644 --- a/src/ssb.c +++ b/src/ssb.c @@ -2178,6 +2178,14 @@ sqlite3* tf_ssb_acquire_db_reader(tf_ssb_t* ssb) } tf_trace_sqlite(ssb->trace, db); uv_mutex_unlock(&ssb->db_readers_lock); + sqlite3_set_authorizer(db, NULL, NULL); + return db; +} + +sqlite3* tf_ssb_acquire_db_reader_restricted(tf_ssb_t* ssb) +{ + sqlite3* db = tf_ssb_acquire_db_reader(ssb); + sqlite3_set_authorizer(db, tf_ssb_sqlite_authorizer, ssb); return db; } diff --git a/src/ssb.db.c b/src/ssb.db.c index c9dfe643..985d4813 100644 --- a/src/ssb.db.c +++ b/src/ssb.db.c @@ -960,10 +960,9 @@ int tf_ssb_sqlite_authorizer(void* user_data, int action_code, const char* arg0, JSValue tf_ssb_db_visit_query(tf_ssb_t* ssb, const char* query, const JSValue binds, void (*callback)(JSValue row, void* user_data), void* user_data) { JSValue result = JS_UNDEFINED; - sqlite3* db = tf_ssb_acquire_db_reader(ssb); + sqlite3* db = tf_ssb_acquire_db_reader_restricted(ssb); JSContext* context = tf_ssb_get_context(ssb); sqlite3_stmt* statement; - sqlite3_set_authorizer(db, tf_ssb_sqlite_authorizer, ssb); if (sqlite3_prepare(db, query, -1, &statement, NULL) == SQLITE_OK) { JSValue bind_result = _tf_ssb_sqlite_bind_json(context, db, statement, binds); @@ -994,7 +993,6 @@ JSValue tf_ssb_db_visit_query(tf_ssb_t* ssb, const char* query, const JSValue bi { result = JS_ThrowInternalError(context, "SQL Error %s: preparing \"%s\".", sqlite3_errmsg(db), query); } - sqlite3_set_authorizer(db, NULL, NULL); tf_ssb_release_db_reader(ssb, db); return result; } diff --git a/src/ssb.h b/src/ssb.h index c3ebeb10..f32ffa7c 100644 --- a/src/ssb.h +++ b/src/ssb.h @@ -82,6 +82,7 @@ tf_ssb_t* tf_ssb_create(uv_loop_t* loop, JSContext* context, const char* db_path void tf_ssb_destroy(tf_ssb_t* ssb); sqlite3* tf_ssb_acquire_db_reader(tf_ssb_t* ssb); +sqlite3* tf_ssb_acquire_db_reader_restricted(tf_ssb_t* ssb); void tf_ssb_release_db_reader(tf_ssb_t* ssb, sqlite3* db); sqlite3* tf_ssb_acquire_db_writer(tf_ssb_t* ssb); void tf_ssb_release_db_writer(tf_ssb_t* ssb, sqlite3* db); diff --git a/src/ssb.js.c b/src/ssb.js.c index eee8d6cb..0d1c934d 100644 --- a/src/ssb.js.c +++ b/src/ssb.js.c @@ -428,8 +428,7 @@ static void _tf_ssb_sqlAsync_work(uv_work_t* work) tf_ssb_record_thread_busy(sql_work->ssb, true); tf_trace_t* trace = tf_ssb_get_trace(sql_work->ssb); tf_trace_begin(trace, "sql_async_work"); - sqlite3* db = tf_ssb_acquire_db_reader(sql_work->ssb); - sqlite3_set_authorizer(db, tf_ssb_sqlite_authorizer, sql_work->ssb); + sqlite3* db = tf_ssb_acquire_db_reader_restricted(sql_work->ssb); sqlite3_stmt* statement = NULL; sql_work->result = sqlite3_prepare(db, sql_work->query, -1, &statement, NULL); if (sql_work->result == SQLITE_OK) @@ -523,7 +522,6 @@ static void _tf_ssb_sqlAsync_work(uv_work_t* work) { sql_work->error = tf_strdup(sqlite3_errmsg(db)); } - sqlite3_set_authorizer(db, NULL, NULL); tf_ssb_release_db_reader(sql_work->ssb, db); tf_ssb_record_thread_busy(sql_work->ssb, false); tf_trace_end(trace);