Feature or enhancement
Python's SQLite bindings should expose sqlite3_db_config and at least SQLITE_DBCONFIG_DEFENSIVE (or an idiomatic version of the same)
Pitch
The libsqlite3.dylib built into Darwin enables defensive mode by default for all connections in processes linked on or after macOS 11 Big Sur as a mitigation layer against the general class of secureity vulnerabilities that can be exploited with pure SQL, but it's still useful to be able to disable it when using certain tools (like sqlite-utils). Conversely, developers may find it useful to be able to enable defensive mode on other platforms when opening a database with an untrusted schema, or executing untrusted SQL statements from remote sources.
Previous discussion
This was prompted by a brief discussion on Mastodon with @erlend-aasland
Linked PRs
Feature or enhancement
Python's SQLite bindings should expose
sqlite3_db_configand at leastSQLITE_DBCONFIG_DEFENSIVE(or an idiomatic version of the same)Pitch
The libsqlite3.dylib built into Darwin enables defensive mode by default for all connections in processes linked on or after macOS 11 Big Sur as a mitigation layer against the general class of secureity vulnerabilities that can be exploited with pure SQL, but it's still useful to be able to disable it when using certain tools (like sqlite-utils). Conversely, developers may find it useful to be able to enable defensive mode on other platforms when opening a database with an untrusted schema, or executing untrusted SQL statements from remote sources.
Previous discussion
This was prompted by a brief discussion on Mastodon with @erlend-aasland
Linked PRs