1. 21
  1.  

  2. 15

    The title made me assume that new vulnerabilities were being announced– but this page is a list of their policies and list of historical ones, the most recent of which was from August 24th, 2021, and that one was in an experimental extension.

    Perhaps the submission title should be changed?

    1. 8

      It seems overly dismissive in tone, though technically correct. On the other hand, the amount of sql injection vulnerabilities I’ve seen is high enough - not to disqualify the argument but to give context: the likelihood of an outdated sqlite bundled within an application that has bugs is higher than the in-project folks might want to believe.

      1. 7

        SQL injection attacks aren’t SQLite vulnerabilities. From the page:

        the mere fact that an attacker has a way to inject and run arbitrary SQL is in and of itself a denial-of-service attack.

        The reason these issues started showing up is that some web browsers added an early JavaScript database API that talked to SQLite. This meant remote code could now send arbitrary SQL statements to a local SQLite database, which had never been considered a possibility by the SQLite designers, since SQLite is an embedded database engine that’s assumed to be running statements generated only by the host application.

        1. 6

          While it took a second reading to see it, freddys post calls out specifically the combination of SQL injection with an outdated SQLite (turning an injection into RCE).

          1. 1

            My point is: Security does not happen in isolation. If you disclaim responsibility for how your library is used, you will get less insights into how it is misused.I agree that allowing arbitrary sql commands is a bug, but maybe folks need a different interface?

            And to be clear, I’m not trying to punch here. sqlite is an amazing project, I admire their tech and their success.

        2. 3

          For some reason this reminded me of Raymond Chen’s excellent writeup: https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31283