Disable all virtual tables.
authorbeidson@apple.com <beidson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 22 Mar 2017 00:08:40 +0000 (00:08 +0000)
committerbeidson@apple.com <beidson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 22 Mar 2017 00:08:40 +0000 (00:08 +0000)
<rdar://problem/31081972> and https://bugs.webkit.org/show_bug.cgi?id=169928
Source/WebCore:

Reviewed by Jer Noble.

No new tests (Covered by changes to existing test).

* Modules/webdatabase/DatabaseAuthorizer.cpp:
(WebCore::DatabaseAuthorizer::createVTable):
(WebCore::DatabaseAuthorizer::dropVTable):

LayoutTests:

Reviewed by Jer Noble.

* storage/websql/test-authorizer-expected.txt:
* storage/websql/test-authorizer.js:
(createStatementsCallback):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@214237 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/storage/websql/test-authorizer-expected.txt
LayoutTests/storage/websql/test-authorizer.js
Source/WebCore/ChangeLog
Source/WebCore/Modules/webdatabase/DatabaseAuthorizer.cpp

index c8690e9..48f5c68 100644 (file)
@@ -1,3 +1,14 @@
+2017-03-21  Brady Eidson  <beidson@apple.com>
+
+        Disable all virtual tables.
+        <rdar://problem/31081972> and https://bugs.webkit.org/show_bug.cgi?id=169928
+
+        Reviewed by Jer Noble.
+
+        * storage/websql/test-authorizer-expected.txt:
+        * storage/websql/test-authorizer.js:
+        (createStatementsCallback):
+
 2017-03-21  Zalan Bujtas  <zalan@apple.com>
 
         Tear down descendant renderers when <slot>'s display value is set to no "contents".
index 8e07090..64014ec 100644 (file)
@@ -7,6 +7,7 @@ SQLITE_CREATE_TEMP_VIEW statement succeeded.
 SQLITE_CREATE_TRIGGER statement succeeded.
 SQLITE_CREATE_VIEW statement succeeded.
 SQLITE_CREATE_VTABLE statement failed: could not prepare statement (23 not authorized)
+SQLITE_CREATE_VTABLE (FTS3) statement failed: could not prepare statement (23 not authorized)
 SQLITE_READ statement succeeded.
 SQLITE_SELECT statement succeeded.
 SQLITE_DELETE statement succeeded.
@@ -40,6 +41,7 @@ SQLITE_CREATE_TEMP_VIEW statement failed: could not prepare statement (23 not au
 SQLITE_CREATE_TRIGGER statement failed: could not prepare statement (1 not authorized)
 SQLITE_CREATE_VIEW statement failed: could not prepare statement (23 not authorized)
 SQLITE_CREATE_VTABLE statement failed: could not prepare statement (23 not authorized)
+SQLITE_CREATE_VTABLE (FTS3) statement failed: could not prepare statement (23 not authorized)
 SQLITE_CREATE_INDEX statement succeeded.
 SQLITE_CREATE_TEMP_TABLE statement succeeded.
 SQLITE_CREATE_TEMP_TRIGGER statement succeeded.
@@ -47,6 +49,7 @@ SQLITE_CREATE_TEMP_VIEW statement succeeded.
 SQLITE_CREATE_TRIGGER statement succeeded.
 SQLITE_CREATE_VIEW statement succeeded.
 SQLITE_CREATE_VTABLE statement failed: could not prepare statement (23 not authorized)
+SQLITE_CREATE_VTABLE (FTS3) statement failed: could not prepare statement (23 not authorized)
 SQLITE_READ statement succeeded.
 SQLITE_SELECT statement succeeded.
 SQLITE_DELETE statement failed: could not prepare statement (23 not authorized)
index 9c3d720..14e6307 100644 (file)
@@ -58,6 +58,7 @@ function createStatementsCallback(tx)
     executeStatement(tx, "CREATE TRIGGER TestTrigger INSERT ON Test BEGIN SELECT COUNT(*) FROM Test; END;", "SQLITE_CREATE_TRIGGER");
     executeStatement(tx, "CREATE VIEW TestView AS SELECT COUNT(*) FROM Test;", "SQLITE_CREATE_VIEW");
     executeStatement(tx, "CREATE VIRTUAL TABLE TestVirtualTable USING MissingModule;", "SQLITE_CREATE_VTABLE");
+    executeStatement(tx, "CREATE VIRTUAL TABLE TestVirtualTableFTS USING fts3;", "SQLITE_CREATE_VTABLE (FTS3)");
 }
 
 function otherStatementsCallback(tx)
index 3294a63..9bbe14c 100644 (file)
@@ -1,3 +1,16 @@
+2017-03-21  Brady Eidson  <beidson@apple.com>
+
+        Disable all virtual tables.
+        <rdar://problem/31081972> and https://bugs.webkit.org/show_bug.cgi?id=169928
+        
+        Reviewed by Jer Noble.
+
+        No new tests (Covered by changes to existing test).
+
+        * Modules/webdatabase/DatabaseAuthorizer.cpp:
+        (WebCore::DatabaseAuthorizer::createVTable):
+        (WebCore::DatabaseAuthorizer::dropVTable):
+
 2017-03-21  Anders Carlsson  <andersca@apple.com>
 
         Remove bogus availability annotations from DOM SPI headers.
index 10310a0..f85f920 100644 (file)
@@ -282,29 +282,14 @@ int DatabaseAuthorizer::dropTempView(const String&)
     return SQLAuthAllow;
 }
 
-int DatabaseAuthorizer::createVTable(const String& tableName, const String& moduleName)
+int DatabaseAuthorizer::createVTable(const String&, const String&)
 {
-    if (!allowWrite())
-        return SQLAuthDeny;
-
-    // Allow only the FTS3 extension
-    if (!equalLettersIgnoringASCIICase(moduleName, "fts3"))
-        return SQLAuthDeny;
-
-    m_lastActionChangedDatabase = true;
-    return denyBasedOnTableName(tableName);
+    return SQLAuthDeny;
 }
 
-int DatabaseAuthorizer::dropVTable(const String& tableName, const String& moduleName)
+int DatabaseAuthorizer::dropVTable(const String&, const String&)
 {
-    if (!allowWrite())
-        return SQLAuthDeny;
-
-    // Allow only the FTS3 extension
-    if (!equalLettersIgnoringASCIICase(moduleName, "fts3"))
-        return SQLAuthDeny;
-
-    return updateDeletesBasedOnTableName(tableName);
+    return SQLAuthDeny;
 }
 
 int DatabaseAuthorizer::allowDelete(const String& tableName)