changeset:   92401:430865e9ea9f
branch:      2.7
parent:      92397:d6c7ab5a2065
user:        Serhiy Storchaka <storchaka@gmail.com>
date:        Thu Sep 11 13:27:19 2014 +0300
files:       Lib/sqlite3/test/regression.py Misc/NEWS Modules/_sqlite/connection.c Modules/_sqlite/statement.c
description:
Issue #21147: sqlite3 now raises an exception if the request contains a null
character instead of truncate it.  Based on patch by Victor Stinner.


diff -r d6c7ab5a2065 -r 430865e9ea9f Lib/sqlite3/test/regression.py
--- a/Lib/sqlite3/test/regression.py	Thu Sep 11 10:56:59 2014 +0300
+++ b/Lib/sqlite3/test/regression.py	Thu Sep 11 13:27:19 2014 +0300
@@ -319,6 +319,16 @@
                           sqlite.connect, ":memory:", isolation_level=123)
 
 
+    def CheckNullCharacter(self):
+        # Issue #21147
+        con = sqlite.connect(":memory:")
+        self.assertRaises(ValueError, con, "\0select 1")
+        self.assertRaises(ValueError, con, "select 1\0")
+        cur = con.cursor()
+        self.assertRaises(ValueError, cur.execute, " \0select 2")
+        self.assertRaises(ValueError, cur.execute, "select 2\0")
+
+
 def suite():
     regression_suite = unittest.makeSuite(RegressionTests, "Check")
     return unittest.TestSuite((regression_suite,))
diff -r d6c7ab5a2065 -r 430865e9ea9f Misc/NEWS
--- a/Misc/NEWS	Thu Sep 11 10:56:59 2014 +0300
+++ b/Misc/NEWS	Thu Sep 11 13:27:19 2014 +0300
@@ -22,6 +22,9 @@
 Library
 -------
 
+- Issue #21147: sqlite3 now raises an exception if the request contains a null
+  character instead of truncate it.  Based on patch by Victor Stinner.
+
 - Issue #21951: Fixed a crash in Tkinter on AIX when called Tcl command with
   empty string or tuple argument.
 
diff -r d6c7ab5a2065 -r 430865e9ea9f Modules/_sqlite/connection.c
--- a/Modules/_sqlite/connection.c	Thu Sep 11 10:56:59 2014 +0300
+++ b/Modules/_sqlite/connection.c	Thu Sep 11 13:27:19 2014 +0300
@@ -1215,7 +1215,8 @@
         if (rc == PYSQLITE_TOO_MUCH_SQL) {
             PyErr_SetString(pysqlite_Warning, "You can only execute one statement at a time.");
         } else if (rc == PYSQLITE_SQL_WRONG_TYPE) {
-            PyErr_SetString(pysqlite_Warning, "SQL is of wrong type. Must be string or unicode.");
+            if (!PyErr_Occurred() || PyErr_ExceptionMatches(PyExc_TypeError))
+                PyErr_SetString(pysqlite_Warning, "SQL is of wrong type. Must be string or unicode.");
         } else {
             (void)pysqlite_statement_reset(statement);
             _pysqlite_seterror(self->db, NULL);
diff -r d6c7ab5a2065 -r 430865e9ea9f Modules/_sqlite/statement.c
--- a/Modules/_sqlite/statement.c	Thu Sep 11 10:56:59 2014 +0300
+++ b/Modules/_sqlite/statement.c	Thu Sep 11 13:27:19 2014 +0300
@@ -74,12 +74,15 @@
         rc = PYSQLITE_SQL_WRONG_TYPE;
         return rc;
     }
+    sql_cstr = PyString_AsString(sql_str);
+    if (strlen(sql_cstr) != (size_t)PyString_GET_SIZE(sql_str)) {
+        PyErr_SetString(PyExc_ValueError, "the query contains a null character");
+        return PYSQLITE_SQL_WRONG_TYPE;
+    }
 
     self->in_weakreflist = NULL;
     self->sql = sql_str;
 
-    sql_cstr = PyString_AsString(sql_str);
-
     Py_BEGIN_ALLOW_THREADS
     rc = sqlite3_prepare(connection->db,
                          sql_cstr,