From 054ede3133b2550ecffaf98d3acd7d112ed85cf3 Mon Sep 17 00:00:00 2001 From: "Erlend E. Aasland" Date: Sun, 2 May 2021 17:43:54 +0200 Subject: [PATCH 1/2] Move sqlite3.connect* audit events to sqlite3.Connection.__init__ --- Lib/test/audit-tests.py | 7 ++++--- Lib/test/test_audit.py | 2 +- Modules/_sqlite/connection.c | 8 ++++++++ Modules/_sqlite/module.c | 9 --------- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/Lib/test/audit-tests.py b/Lib/test/audit-tests.py index ed42451b8f08af..7a7de637c38823 100644 --- a/Lib/test/audit-tests.py +++ b/Lib/test/audit-tests.py @@ -367,13 +367,14 @@ def hook(event, *args): print(event, *args) sys.addaudithook(hook) - cx = sqlite3.connect(":memory:") + cx1 = sqlite3.connect(":memory:") + cx2 = sqlite3.Connection(":memory:") # Configured without --enable-loadable-sqlite-extensions if hasattr(sqlite3.Connection, "enable_load_extension"): - cx.enable_load_extension(False) + cx1.enable_load_extension(False) try: - cx.load_extension("test") + cx1.load_extension("test") except sqlite3.OperationalError: pass else: diff --git a/Lib/test/test_audit.py b/Lib/test/test_audit.py index 4ba62c408526d3..25ff34bb11298a 100644 --- a/Lib/test/test_audit.py +++ b/Lib/test/test_audit.py @@ -158,7 +158,7 @@ def test_sqlite3(self): if support.verbose: print(*events, sep='\n') actual = [ev[0] for ev in events] - expected = ["sqlite3.connect", "sqlite3.connect/handle"] + expected = ["sqlite3.connect", "sqlite3.connect/handle"] * 2 if hasattr(sqlite3.Connection, "enable_load_extension"): expected += [ diff --git a/Modules/_sqlite/connection.c b/Modules/_sqlite/connection.c index 5f8e41b6169a76..fb5411243c6798 100644 --- a/Modules/_sqlite/connection.c +++ b/Modules/_sqlite/connection.c @@ -86,6 +86,10 @@ pysqlite_connection_init(pysqlite_Connection *self, PyObject *args, return -1; } + if (PySys_Audit("sqlite3.connect", "O", database_obj) < 0) { + return -1; + } + database = PyBytes_AsString(database_obj); self->initialized = 1; @@ -179,6 +183,10 @@ pysqlite_connection_init(pysqlite_Connection *self, PyObject *args, self->ProgrammingError = pysqlite_ProgrammingError; self->NotSupportedError = pysqlite_NotSupportedError; + if (PySys_Audit("sqlite3.connect/handle", "O", self) < 0) { + return -1; + } + return 0; } diff --git a/Modules/_sqlite/module.c b/Modules/_sqlite/module.c index 2f323fcd00141f..324994641b4a4a 100644 --- a/Modules/_sqlite/module.c +++ b/Modules/_sqlite/module.c @@ -91,20 +91,11 @@ static PyObject* module_connect(PyObject* self, PyObject* args, PyObject* factory = (PyObject*)pysqlite_ConnectionType; } - if (PySys_Audit("sqlite3.connect", "O", database) < 0) { - return NULL; - } - result = PyObject_Call(factory, args, kwargs); if (result == NULL) { return NULL; } - if (PySys_Audit("sqlite3.connect/handle", "O", self) < 0) { - Py_DECREF(result); - return NULL; - } - return result; } From cd273e429be0c26225e8bc9c7984bfcf6a1b8eb3 Mon Sep 17 00:00:00 2001 From: "Erlend E. Aasland" Date: Sun, 2 May 2021 17:50:28 +0200 Subject: [PATCH 2/2] Add NEWS --- .../next/Security/2021-05-02-17-50-23.bpo-43434.cy7xz6.rst | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 Misc/NEWS.d/next/Security/2021-05-02-17-50-23.bpo-43434.cy7xz6.rst diff --git a/Misc/NEWS.d/next/Security/2021-05-02-17-50-23.bpo-43434.cy7xz6.rst b/Misc/NEWS.d/next/Security/2021-05-02-17-50-23.bpo-43434.cy7xz6.rst new file mode 100644 index 00000000000000..b5a3f8d7587498 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-05-02-17-50-23.bpo-43434.cy7xz6.rst @@ -0,0 +1,4 @@ +Creating :class:`sqlite3.Connection` objects now also produces +``sqlite3.connect`` and ``sqlite3.connect/handle`` :ref:`auditing events +`. Previously these events were only produced by +:func:`sqlite3.connect` calls. Patch by Erlend E. Aasland.