On 17.12.2015 07:21, Rahkonen Jukka (MML) wrote: > edgar soldin wrote: > >> just assumed because of >> https://sourceforge.net/p/jump-pilot/code/HEAD/tree/core/trunk/src/com/vividsolutions/jump/datastore/spatialite/SpatialiteDataStoreDriver.java#l69 >> "new SQLiteConfig().enableLoadExtension(true);" >> but obviously this just autoloads the sqlite native libs. > > SQLite has two steps for increasing security: > - If SQLite is compiled with SQLITE_OMIT_LOAD_EXTENSION it will be > impossible to load extensions > - If the use of LOAD_EXTENSION is allowed "enableLoadExtension()" must still > be called first > - Only after that it is possible to load extension. There are couple of ways > to do that including SELECT load_extension(). The setting is off by default. > Notice that end user can also enter SQL with "SELECT load_extension()". > > Enabling load_extension is only on or off and when when OpenJUMP enables > loading mod_spatialite it allows loading any other extension to the same > connection as well. It is hard to see that as a security risk for OpenJUMP. > > http://www.sqlite.org/loadext.html > http://www.sqlite.org/c3ref/enable_load_extension.html
thanks, well explained.. ede ------------------------------------------------------------------------------ _______________________________________________ Jump-pilot-devel mailing list Jump-pilot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jump-pilot-devel
