Issue #21147: sqlite3 now raises an exception if the request contains a null

character instead of truncate it. Based on patch by Victor Stinner.
2014-09-11 13:29:05 +03:00 · 2014-09-11 13:29:05 +03:00 · 42d67af87f
parent abf68ce164
commit 42d67af87f
4 changed files with 19 additions and 1 deletions
--- a/Lib/sqlite3/test/regression.py
+++ b/Lib/sqlite3/test/regression.py
@ -336,6 +336,16 @@ class RegressionTests(unittest.TestCase):
                          sqlite.connect, ":memory:", isolation_level=123)


+    def CheckNullCharacter(self):
+        # Issue #21147
+        con = sqlite.connect(":memory:")
+        self.assertRaises(ValueError, con, "\0select 1")
+        self.assertRaises(ValueError, con, "select 1\0")
+        cur = con.cursor()
+        self.assertRaises(ValueError, cur.execute, " \0select 2")
+        self.assertRaises(ValueError, cur.execute, "select 2\0")
+
+
 def suite():
    regression_suite = unittest.makeSuite(RegressionTests, "Check")
    return unittest.TestSuite((regression_suite,))
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -32,6 +32,9 @@ Core and Builtins
 Library
 -------

+- Issue #21147: sqlite3 now raises an exception if the request contains a null
+  character instead of truncate it.  Based on patch by Victor Stinner.
+
 - Issue #21951: Fixed a crash in Tkinter on AIX when called Tcl command with
  empty string or tuple argument.

--- a/Modules/_sqlite/connection.c
+++ b/Modules/_sqlite/connection.c
@ -1261,7 +1261,8 @@ PyObject* pysqlite_connection_call(pysqlite_Connection* self, PyObject* args, Py
        if (rc == PYSQLITE_TOO_MUCH_SQL) {
            PyErr_SetString(pysqlite_Warning, "You can only execute one statement at a time.");
        } else if (rc == PYSQLITE_SQL_WRONG_TYPE) {
-            PyErr_SetString(pysqlite_Warning, "SQL is of wrong type. Must be string or unicode.");
+            if (PyErr_ExceptionMatches(PyExc_TypeError))
+                PyErr_SetString(pysqlite_Warning, "SQL is of wrong type. Must be string.");
        } else {
            (void)pysqlite_statement_reset(statement);
            _pysqlite_seterror(self->db, NULL);
--- a/Modules/_sqlite/statement.c
+++ b/Modules/_sqlite/statement.c
@ -63,6 +63,10 @@ int pysqlite_statement_create(pysqlite_Statement* self, pysqlite_Connection* con
        rc = PYSQLITE_SQL_WRONG_TYPE;
        return rc;
    }
+    if (strlen(sql_cstr) != (size_t)sql_cstr_len) {
+        PyErr_SetString(PyExc_ValueError, "the query contains a null character");
+        return PYSQLITE_SQL_WRONG_TYPE;
+    }

    self->in_weakreflist = NULL;
    Py_INCREF(sql);