📄 databaseauthorizer.cpp
字号:
/* * Copyright (C) 2007 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of * its contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */#include "config.h"#include "DatabaseAuthorizer.h"#include "Database.h"#include "PlatformString.h"namespace WebCore {DatabaseAuthorizer::DatabaseAuthorizer() : m_securityEnabled(false){ reset();}void DatabaseAuthorizer::reset(){ m_lastActionWasInsert = false; m_lastActionChangedDatabase = false;}int DatabaseAuthorizer::createTable(const String& tableName){ m_lastActionChangedDatabase = true; return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::createTempTable(const String& tableName){ return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::dropTable(const String& tableName){ return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::dropTempTable(const String& tableName){ return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::allowAlterTable(const String&, const String& tableName){ m_lastActionChangedDatabase = true; return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::createIndex(const String&, const String& tableName){ m_lastActionChangedDatabase = true; return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::createTempIndex(const String&, const String& tableName){ return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::dropIndex(const String&, const String& tableName){ return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::dropTempIndex(const String&, const String& tableName){ return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::createTrigger(const String&, const String& tableName){ m_lastActionChangedDatabase = true; return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::createTempTrigger(const String&, const String& tableName){ return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::dropTrigger(const String&, const String& tableName){ return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::dropTempTrigger(const String&, const String& tableName){ return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::createVTable(const String&, const String&){ m_lastActionChangedDatabase = true; return m_securityEnabled ? SQLAuthDeny : SQLAuthAllow;}int DatabaseAuthorizer::dropVTable(const String&, const String&){ return m_securityEnabled ? SQLAuthDeny : SQLAuthAllow;}int DatabaseAuthorizer::allowDelete(const String& tableName){ return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::allowInsert(const String& tableName){ m_lastActionChangedDatabase = true; m_lastActionWasInsert = true; return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::allowUpdate(const String& tableName, const String&){ m_lastActionChangedDatabase = true; return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::allowTransaction(){ return m_securityEnabled ? SQLAuthDeny : SQLAuthAllow;}int DatabaseAuthorizer::allowRead(const String& tableName, const String&){ return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::allowAnalyze(const String& tableName){ return denyBasedOnTableName(tableName);}int DatabaseAuthorizer::allowPragma(const String&, const String&){ return m_securityEnabled ? SQLAuthDeny : SQLAuthAllow;}int DatabaseAuthorizer::allowAttach(const String&){ return m_securityEnabled ? SQLAuthDeny : SQLAuthAllow;}int DatabaseAuthorizer::allowDetach(const String&){ return m_securityEnabled ? SQLAuthDeny : SQLAuthAllow;}int DatabaseAuthorizer::allowFunction(const String&){ // FIXME: Are there any of these we need to prevent? One might guess current_date, current_time, current_timestamp because // they would violate the "sandbox environment" part of 4.11.3, but scripts can generate the local client side information via // javascript directly, anyways. Are there any other built-ins we need to be worried about? return SQLAuthAllow;}void DatabaseAuthorizer::disable(){ m_securityEnabled = false;}void DatabaseAuthorizer::enable(){ m_securityEnabled = true;}int DatabaseAuthorizer::denyBasedOnTableName(const String& tableName){ if (!m_securityEnabled) return SQLAuthAllow; // Sadly, normal creates and drops end up affecting sqlite_master in an authorizer callback, so // it will be tough to enforce all of the following policies //if (equalIgnoringCase(tableName, "sqlite_master") || equalIgnoringCase(tableName, "sqlite_temp_master") || // equalIgnoringCase(tableName, "sqlite_sequence") || equalIgnoringCase(tableName, Database::databaseInfoTableName())) // return SQLAuthDeny; if (equalIgnoringCase(tableName, Database::databaseInfoTableName())) return SQLAuthDeny; return SQLAuthAllow;}} // namespace WebCore⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -