From 4bde862e026dbcdddbdb10f1fb75d92b07f559e6 Mon Sep 17 00:00:00 2001 From: "Erlend E. Aasland" Date: Sun, 19 May 2024 23:07:06 -0400 Subject: [PATCH 1/3] gh-118928: sqlite3: correctly bail if sequences of params are used with named placeholders Fix up post gh-118929. --- .../next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst | 2 ++ Modules/_sqlite/cursor.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst diff --git a/Misc/NEWS.d/next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst b/Misc/NEWS.d/next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst new file mode 100644 index 00000000000000..62767d36c2e0c3 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst @@ -0,0 +1,2 @@ +Fix an error where incorrect bindings in :mod:`sqlite3` queries could lead +to a crash. diff --git a/Modules/_sqlite/cursor.c b/Modules/_sqlite/cursor.c index 5d4b77b1a07e08..f458840aa8dbc5 100644 --- a/Modules/_sqlite/cursor.c +++ b/Modules/_sqlite/cursor.c @@ -670,7 +670,7 @@ bind_parameters(pysqlite_state *state, pysqlite_Statement *self, for (i = 0; i < num_params; i++) { const char *name = sqlite3_bind_parameter_name(self->st, i+1); if (name != NULL && name[0] != '?') { - PyErr_Format(state->ProgrammingError, + return PyErr_Format(state->ProgrammingError, "Binding %d ('%s') is a named parameter, but you " "supplied a sequence which requires nameless (qmark) " "placeholders.", From 50a746bc7455a485e79fdfa21cb9c090bdc85a28 Mon Sep 17 00:00:00 2001 From: "Erlend E. Aasland" Date: Sun, 19 May 2024 23:12:56 -0400 Subject: [PATCH 2/3] We need to refactor bind_parameters() so it returns -1 on error --- Modules/_sqlite/cursor.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Modules/_sqlite/cursor.c b/Modules/_sqlite/cursor.c index f458840aa8dbc5..0fbd408f18cf6a 100644 --- a/Modules/_sqlite/cursor.c +++ b/Modules/_sqlite/cursor.c @@ -670,11 +670,12 @@ bind_parameters(pysqlite_state *state, pysqlite_Statement *self, for (i = 0; i < num_params; i++) { const char *name = sqlite3_bind_parameter_name(self->st, i+1); if (name != NULL && name[0] != '?') { - return PyErr_Format(state->ProgrammingError, + PyErr_Format(state->ProgrammingError, "Binding %d ('%s') is a named parameter, but you " "supplied a sequence which requires nameless (qmark) " "placeholders.", i+1, name); + return; } if (PyTuple_CheckExact(parameters)) { From 38f4a7c52bc2ad21f3ac9a0cc616e5db3e7dae87 Mon Sep 17 00:00:00 2001 From: "Erlend E. Aasland" Date: Sun, 19 May 2024 23:13:53 -0400 Subject: [PATCH 3/3] Amend news --- .../next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst b/Misc/NEWS.d/next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst index 62767d36c2e0c3..61b192761731d0 100644 --- a/Misc/NEWS.d/next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst +++ b/Misc/NEWS.d/next/Library/2024-05-19-23-09-36.gh-issue-118928.SznMX1.rst @@ -1,2 +1,2 @@ Fix an error where incorrect bindings in :mod:`sqlite3` queries could lead -to a crash. +to a crash. Patch by Erlend E. Aasland.