Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQLite 3.26.0 with security updates & window functions #837

Closed
brodycj opened this issue Dec 16, 2018 · 0 comments
Closed

SQLite 3.26.0 with security updates & window functions #837

brodycj opened this issue Dec 16, 2018 · 0 comments

Comments

@brodycj
Copy link
Contributor

brodycj commented Dec 16, 2018

SQLite 3.26.0 update is needed due to a known vulnerability, will provide window functions as well (#828).

Alternative solutions from https://discuss.zetetic.net/t/magellan-vulnerbility/3290:

I would favor a clean SQLite 3.26.0 update, which should be coming in the next few days.

ref:

@brodycj brodycj self-assigned this Dec 16, 2018
brodycj pushed a commit that referenced this issue Dec 17, 2018
with security update and support for window functions

using cordova-sqlite-storage-dependencies@1.2.1

and add another upcoming breaking change

Resolves #837
nflsilva added a commit to OutSystems/Cordova-sqlcipher-adapter that referenced this issue Dec 21, 2022
* INLINE string test with U+0000 (issue reproduced)

and cover issue in documentation

* U+0000 string param manipulation test with doc fix

* fix openDatabase() calls in string tests (general)

* check default page/cache size

ref: storesafe/cordova-sqlite-storage#781

* test openDatabase() with 2-byte cent character (¢)

* test openDatabase() with U+0801 (3-byte Samaritan)

* doc fixes related to database file names

* test fix for emoji in database file name

* other openDatabase() file name test fixes

* spec with Jasmine 2.5.2

NOTE: Jasmine 2.6.0 and newer reports uncaught errors on some tests on
HTML5 (WebKit) Web SQL tests (FUTURE TBD for further investigation)

* fix label on db-sql-operations-test.js

* Add browser platform usage notes

* https link to litehelpers.net

* cordova-sqlite-storage 2.3.2 - quick updates

- Mark some Android errors as internal plugin errors (quick fix)
- remove trailing whitespace from Android implementation
- quick doc updates
- test coverage updates included

* Test comment for 4-byte UTF-8 characters

per string test case, removed from another place

ref: storesafe/cordova-sqlite-storage#564

* test sqlBatch with changing element values

* remove ignored params from plugin-specific tests

* test sqlBatch([]) (empty array) - reports success

* Fix label & db name in INSERT boolean value test

* Mark extra US-ASCII string tests

* Remove redundant backslash string tests

* "incomplete input" error mapping test fixes

* Multiple db.executeSql string result test fixes

* Multi-db PRAGMA/transaction combo test fixes

old QUnit-like utility functions removed from
this test script

* other db.executeSql test fixes

* '012012012' string INSERT value bindings test

ref: storesafe/cordova-sqlite-storage#791

* '012012.012' string INSERT value bindings test

Additional test ref: storesafe/cordova-sqlite-storage#791

* US-ASCII string concatenation test with parameters

* Mark INLINE BLOB value storage tests section

* Move more db.executeSql SELECT result description

* Fix U+0000 parameter UPPER test for Android 8

* Skip a couple U+0000 tests on Web SQL on Android 6

(for now)

* extra-long timeout for db combo test

* test and document usage with numbered parameters

resolves storesafe/cordova-sqlite-storage#787

* doc update examples & tutorials (with pitfall)

Closes storesafe/cordova-sqlite-storage#609

* Move & update existing browser platform notes

ref:
- storesafe/cordova-sqlite-storage#297
- storesafe/cordova-sqlite-storage#576
- storesafe/cordova-sqlite-storage-help#8

* More June 2018 doc updates

* cordova-sqlite-storage 2.3.3 - quick fix

Quick fix for some iOS/macOS internal plugin error log messagess

(some test & doc updates are included in this release)

* possible "incomplete input" error on Android 7

* Remove some scripts from circle.yml & .travis.yml

Remove some test scripts from Travis CI & Circle CI

* spec remove test of obsolete WP8 platform

* spec with explicit check for Apple iOS userAgent

THANKS for info:
https://www.sitepoint.com/identify-apple-iphone-ipod-ipad-visitors/

* spec rename hasWebKitBrowser to hasWebKitWebSQL

* spec rename isWKWebView to hasMobileWKWebView

* MSAppHost userAgent pattern to check for Windows

* U+0000 test fixes & updates

* INSERT inline X'FFD1FFD2' test updates & fixes

* SELECT X'FFD1FFD2' test fix

* tx-semantics-test.js test fixes

* Check insertId after UPDATE & update doc

other advanced rowsAffected test updates to check insertId

closes storesafe/cordova-sqlite-storage#802

* (WebKit) Web SQL testing on browser platform

* cordova-sqlite-storage 2.4.0 - quick fix release

Report internal plugin error in case of attempt to open database with
no database name on iOS or macOS

Upcoming major release July 2018 -> September 2018

Test & documentation updates included in this release:
- Cover use of standard (WebKit) Web SQL API in spec test suite
- Test and document insertId in UPDATE result set on plugin vs (WebKit) Web SQL
- other test updates

* Followup test fix for iOS Web SQL

Followup fix for the following commit:

62767f6 - spec rename isWKWebView to hasMobileWKWebView

* Fix FTS3 test for Chrome vs Safari browser

* Doc fix for Android/iOS vs browser WebKit feature

FTS3/FTS4/R-Tree

* general doc updates

* ALTER tests do not ignore close error on Windows

* some open/close/delete database test fixes

* minor test fixes

* Windows error test & doc fixes (existing behavior)

ref:
- storesafe/cordova-sqlite-storage#539
- storesafe/cordova-sqlite-storage#821

* Check actual sqlite version in separate case

* Planned December 2018 release update notes

ref: storesafe/cordova-sqlite-storage#773

* Introduce androidDatabaseProvider: 'system' option

to replace androidDatabaseImplementation setting

(cordova-sqlite-storage 2.5.0)

* Comment out plugin on browser test conditions

which are currently not needed

(introduced in eade090)

* INLINE INSERT X'FFD1FFD2' BLOB test fixes

* PRAGMA & multiple db combo test fixes

* SELECT X'40414243' (INLINE BLOB) test fixes

and SELECT LOWER(X'40414243') test fixes

* db-simultaneous-tx-access-test.js fixes

* db-tx-multiple-update-test.js fixes

* SELECT LOWER(X'41F09F9883') test fixes

ref: storesafe/cordova-sqlite-storage#564

* SELECT LOWER(X'41EDA0BDEDB88321') test

returns emoji on Android plugin on default NDK provider
(all Android versions tested) and
androidDatabaseProvider: 'system' on Android 4.x

ref: storesafe/cordova-sqlite-storage#564

* tests with 25 emojis

ref: storesafe/cordova-sqlite-evcore-extbuild-free#43

* SELECT LOWER(X'41F0908CB1') string test

and SELECT LOWER(X'41EDA080EDBCB1') string test

ref: storesafe/cordova-sqlite-storage#564

* doc update for issue #564

Note that the same non-standard encoding of 4-byte UTF-8 characters on
Android pre-6.0 is also observed on the evcore plugin version.

* browser platform now planned for November 2018

* fix internal plugin cleanup error log on Android

(cordova-sqlite-storage 2.5.1)

* INSERT 25 emojis test fixes

ref: storesafe/cordova-sqlite-evcore-extbuild-free#43

* cordova-sqlite-evcore-legacy-ext-common-free link

fixed

* Windows platform notes fixes

* Fix link to Android database provider section

* minor doc fix

* INLINE BLOB test description fixes

* Ignore Android end transaction error when closing

for androidDatabaseProvider: 'system' setting,
to avoid possible crash during app shutdown

(cordova-sqlite-storage 2.5.2)

Resolves storesafe/cordova-sqlite-storage#833

* cordova-sqlite-storage 2.6.0 with SQLite 3.26.0

with security update and support for window functions

using cordova-sqlite-storage-dependencies@1.2.1

and add another upcoming breaking change

Resolves storesafe/cordova-sqlite-storage#837

* Project maintenance status

ref: storesafe#81

* Start 0.1.12-rc3_dev

* Fix SQLITE_ENABLE_MEMORY_MANAGEMENT setting in doc

* SQLITE_DEFAULT_SYNCHRONOUS=3 for iOS/macOS

(extra durable)

* FTS3/FTS5 update from SQLite 3.26.0 for iOS/macOS

(security update)

* FTS3/FTS5 update from SQLite 3.26.0 for Android

in custom build which now includes SQLITE_DEFAULT_SYNCHRONOUS=3
build setting for extra durability

* Fix SQLITE_DEFAULT_PAGE_SIZE / CACHE_SIZE in doc

* cordova-sqlcipher-adapter 0.1.12-rc3

* fix a couple build flags in README.md

* Start 0.2.0-dev

* package.json fix URLs

* Update CHANGES.md for using JARs again

* Remove default page/cache size settings

for unencrypted databases on iOS/macOS & unsupported Windows platforms
(already gone for Android)

* Skip faster repeated open/close test on Android

* Update outer label on spec/www/spec/cipher.js

* cordova-sqlcipher-adapter@0.2.0

* Remove incorrect page size statement from doc

* cordova-sqlcipher-adapter doc fixes

* Update for Cordova 8.1.x
* Remove redundant FUTURE TBD NDEBUG build item

* SQLITE_OMIT_DEPRECATED build flag on iOS/macOS

(cordova-sqlcipher-adapter 0.2.1)

* doc issue ref for SQLITE_OMIT_DEPRECATED

* SQLCipher 4.0.1 update

(cordova-sqlcipher-adapter 0.3.0-pre1)

* Update description for SQLCipher 3 vs 4, etc.

* cordova-sqlcipher-adapter 0.3.0

* start cordova-sqlite-storage-ext-core-common

plugin version branch

Note that this plugin version branch is made for easy merge of
changes into the cordova-sqlcipher-adapter plugin version

* Update about text for this plugin version branch

* Quick test & doc updates for Android 8(+) & iOS 12

* Use SQLite 3.22.0 in this plugin version branch

with SQLITE_DEFAULT_SYNCHRONOUS=3 (EXTRA DURABLE) compile-time setting

from cordova-sqlite-storage-dependencies@1.2.1

* cordova-sqlite-storage-ext-core-common 1.0.0

* cordova-sqlite-storage-ext-core-common 1.0.1-dev

* Completely remove iOS/macOS MRC support

(should be considered a POSSIBLY BREAKING change)

ref: storesafe/cordova-sqlite-storage#769

* remove backgroundExecuteSql method not needed

(iOS/macOS)

ref: storesafe/cordova-sqlite-storage#769

* no extra @synchronized block per batch (iOS/macOS)

should be considered a POSSIBLY BREAKING change

ref: storesafe/cordova-sqlite-storage#769

* drop workaround for pre-Honeycomb Android API

(BREAKING CHANGE)

* Completely remove old Android SuppressLint

(android.annotation.SuppressLint) - POSSIBLY BREAKING CHANGE

* non-static Android database runner map

(POTENTIALLY BREAKING CHANGE)

ref: storesafe/cordova-sqlite-storage#763

* remove internal qid usage from JavaScript

(not needed)

* SQLITE_DBCONFIG_DEFENSIVE flag - iOS/macOS/Windows

(POTENTIALLY BREAKING CHANGE)

* cordova-sqlite-storage-ext-core-common 2.0.0

* start cordova-sqlcipher-adapter@0.3.1-dev

* SQLITE_DEFAULT_SYNCHRONOUS=3 on Windows

(EXTRA DURABLE compile-time setting on the disabled Windows platform)

* quick doc fixes

* Cleanup SQLite version test in this plugin version

* Quick fixes for INSERT syntax error test

in this plugin version

* Cleanup SQLiteAndroidDatabase.java

in this plugin version

remove workaround solutions for pre-Honeycomb & dbFile
not needed in this plugin version

* Update supported Android/iOS versions

in this plugin version

NOTE that there should be no issues with pre-Honeycomb
since this plugin version uses a special version
of the AOSP SQLite database implementation.

* SQLITE_DBCONFIG_DEFENSIVE flag for Android

(custom build) in addition to iOS/macOS/Windows

(POTENTIALLY BREAKING CHANGE)

* minor description update

* cordova-sqlcipher-adapter@0.4.0

* fix cordova-sqlite-storage-ext-core-common changes

* cordova-sqlite-ext-core-common 0.1.0-dev

Note that a 0.x.x version identifier is used in this
plugin version branch since it is not ready for production,
due to missing SQLITE_DBCONFIG_DEFENSIVE option setting
on Android.

* beforePluginInstall.js updates

- use standard Promise
- get the plugin package name from package.json
- use const instead of var
- remove hasbang line that is not needed

NOTE that this update should be considered a
POSSIBLY BREAKING CHANGE since const may not work
on some really old Node.js versions.

* remove node_modules/.keep (not needed)

* .gitignore add package-lock.json

* shelljs@0.8 update in devDependencies

Note that this means that minimum of Node.js version 6
is required for prepareSpec.js to work.

(This should not impose such a minimum Node.js version
on Cordova projects *using* this pluign.)

* Cleanup remove trailing whitespace in bin/test.ps1

* SQLitePlugin.coffee.md openDatabase step 1 comment

* cordova-sqlite-ext-core-common 0.1.0

* cordova-sqlite-ext-common-core 0.1.0-dev

* Improved test updates for iOS 12 & recent SQLite

* Update README.md for major release coming in 2019

Note that use of SQLITE_DBCONFIG_DEFENSIVE setting is
implemented for iOS/macOS/Windows at this point
in this plugin version branch.

* Update REGEXP test conditions

including an updated note that some REGEXP test conditions
should be removed for plugin versions such as cordova-sqlite-ext

* cordova-sqlite-ext-common-core 0.1.0

* cordova-sqlite-ext-common-core 0.1.1-dev

* SQLite3-Win-RT->SQLite3-WinRT-sync in src/windows

move the embedded SQLite3-WinRT component to
src/windows/SQLite3-WinRT-sync

and update plugin.xml

* SQLite3-WinRT component info in README.md

* Another update regarding new major release

* cordova-sqlite-extcore 0.1.0

* cordova-sqlite-ext-common-core 0.2.0-dev

* Completely remove old Windows vcxproj files

that were used for Windows 8.1 & Windows Phone 8.1 builds

* Move SQLite3.UWP.vcxproj out of extra SQLite3.UWP

subdirectory

* cordova-sqlite-ext-common-core 0.2.0

* cordova-sqlite-storage 3.0.0-dev

* Use cordova-sqlite-storage-dependencies 2.0.0

with SQLITE_DBCONFIG_DEFENSIVE setting used by
sqlite-native-driver.jar on Android

* cordova-sqlite-storage 3.0.0

* cordova-sqlite-storage 3.0.1-dev

* no SQLITE_DEFAULT_CACHE_SIZE on iOS/macOS/Windows

* update email & website links

* Update README.md for projects moved so far

* free consulting special

* cordova-sqlite-storage 3.1.0

* package.json update cordova-sqlite-storage links

* cordova-sqlite-storage 3.1.1-dev

* fs-extra & cross-spawn in scripts/prepareSpec.js

instead of shelljs

* Fix prepare-spec "script" name in package.json

* clean-spec shell "script" in package.json

* .gitignore ignore yarn.lock

* Mark old bin scripts as UNSUPPORTED

with a note that package scripts should be used instead

* prepare-js "script" (using coffeescript@1 for now)

* sqlite3_threadsafe() error handling on iOS/macOS

* cordova-sqlite-storage 3.2.0

* cordova-sqlite-storage 3.2.1-dev

* fix internal clean-spec script

* fs-extra@8 update in devDependencies

* cordova-sqlite-storage-dependencies@2.0.1 update

with SQLite 3.28.0 update for all supported platforms
Android/iOS/macOS/Windows

* cordova-sqlite-storage 3.2.1

* cordova-sqlite-storage 3.2.2-dev

* cordova-sqlite-storage-commoncore 1.0.0-pre1

starting version branch for additional EU character testing

NOTE that this version branch is currently known to require
slightly older Cordova CLI version such as cordova@8,
cordova@7, or cordova@6 in order to install properly.

This is due to use of an obsolete Cordova module.

This is not an issue with recent versions of
cordova-sqlite-storage itself or any of the
other up-to-date version branches.

* Update string test comments for ICU-UNICODE

for:
- Web SQL on Chrome desktop browser
- plugin with androidDatabaseImplementation: 2 on Android 4.4 & newer

* additional EU string manipulation test cases

* cordova-sqlite-storage-commoncore 1.0.0

with some additional EU character testing

NOTE that this version branch is currently known to require
slightly older Cordova CLI version such as cordova@8,
cordova@7, or cordova@6 in order to install properly.

This is due to use of an obsolete Cordova module.

This is not an issue with recent versions of
cordova-sqlite-storage itself or any of the
other up-to-date version branches.

* quick updates & fixes to error mapping tests

- test syntax error with comma after the field name
- quick fix of error test on (WebKit) Web SQL on Safari desktop browser
- pretter detection of iOS platform
- IGNORE difference in an error message on iOS as well as Android 7.0(+)
- other minor updates & fixes

* SQLCipher 4.2.0 update

(cordova-sqlcipher-adapter 0.4.1)

* Fix CHANGES.md for 3.2.1 vs 3.2.2-dev

* remove some promotions, for now at least

* quick test updates for Android 9 (Pie)

* New page/cache default sizes

with cordova-sqlite-storage-dependencies@2.1.0 update

(cordova-sqlite-storage plugin version)

* cordova-sqlite-storage 3.3.0

* start cordova-sqlite-storage 3.3.1-dev

* quick workaround for `SYNTAX_ERR` redefinition

* cordova-sqlite-storage 3.4.0

* cordova-sqlite-storage 3.4.1-dev

* fix CHANGES.md for 3.4.0 vs 3.4.1-dev

cordova-sqlite-storage 3.4.0 vs 3.4.1-dev

* add string test with double-quotes in result key

* cordova-sqlite-storage-dependencies@2.1.1 update

with SQLite 3.30.1

* cordova-sqlite-storage 3.4.1

* start cordova-sqlite-storage 3.4.2-dev

* double-quotes in result key test fixes

ref: storesafe/cordova-sqlite-evcore-extbuild-free#51

* rename PSPDFThreadSafeMutableDictionary

to CustomPSPDFThreadSafeMutableDictionary

and completely remove PSPDFThreadSafeMutableDictionary.h

(cordova-sqlite-storage 4.0.0-pre1)

* cordova-sqlite-storage 4.0.0

* start cordova-sqlite-storage 4.0.1-dev

* [TBD] add PENDING rename table with view test

PENDING due to KNOWN CRASH on SQLite 3.30.1 (Decmeber 2019) ref:

- http://sqlite.1065341.n5.nabble.com/Crash-Bug-Report-tc109903.html
- storesafe/cordova-sqlite-storage#904

* doc updates & fixes

* start cordova-sqlite-storage 5.0.0-dev

(MAJOR update)

* avoid incorrect default directory on iOS/macOS

- to be extra safe

(see <storesafe/cordova-sqlite-storage#907>)

- ensure that default "nosync" directory *always* has resource value
  set for `NSURLIsExcludedFromBackupKey`
- add more checks for missing database directory

* cordova-sqlite-storage@5 doc updates

- add comparison of supported plugin versions near the beginning
- updated list of breaking changes coming soon
- hide browser usage notes for now (at least)
- other minor updates

* cordova-sqlite-storage 5.0.0

* start cordova-sqlite-storage 5.0.1-dev

* cordova-sqlite-storage@5.0.0 back CHANGES.md

(restore the cordova-sqlite-storage 5.0.0 heading in CHANGES.md)

* update breaking changes coming soon in doc

* fix cordova-sqlite-storage 3.4.1 update in CHANGES.md

* test & doc INCONSISTENT error message formatting

on Android (with android-database-sqlcipher)

ref: storesafe#95

* status fixes in cordova-sqlcipher-adapter doc

- add missing `SQLITE_ENABLE_DBSTAT_VTAB` item for Android only
- fix for default `PRAGMA journal_mode` setting

* SQLCipher version test & doc updates

- update SQLCipher version test to be specific Android vs iOS/mac/...
- remove a specific SQLCipher version number from Announcements
  in README.md

* start cordova-sqlcipher-adapter 0.5.0-dev

* SQLCipher 4.3.0 update for iOS/macOS

* SQLCipher 4.3.0 update for Android

now using `androidx.sqlite:sqlite:2.1.0` framework reference
in plugin.xml

- `SQLITE_OMIT_PROGRESS_CALLBACK` is no longer used on Android
- Extra-old `armeabi` CPU for Android pre-5.0 is no longer supported
  by this plugin version.

* general cordova-sqlcipher-adapter doc updates

(before upcoming merge)

* cordova-sqlcipher-adapter 0.5.0

* use cordova-sqlite-storage-dependencies@2.1.2

with SQLite 3.32.3 update

* enable RENAME table with view test

From December 2019 SQLite crash report, fixed in 2020

* cordova-sqlite-storage 5.0.1

* remove incorrect Android framework info

* start cordova-sqlcipher-adapter 0.5.1-dev

* SQLCipher 4.4.0 (community) update for iOS & macOS

("osx")

* SQLCipher 4.4.0 (community) update for Android

(in custom build, as documented)

* add PRAGMA cipher_version test

* cordova-sqlcipher-adapter 0.5.1

* document AndroidX requirement

* start cordova-sqlcipher-adapter 0.5.2-dev

* SQLCipher 4.4.2 (community) update for Android

(in custom build, as documented)

* SQLCipher 4.4.2 (community) update for iOS & macOS

* cordova-sqlcipher-adapter 0.5.2

* fix: added migration form sqlcipher3 to 4 on iOS.

* refactor: code refactor for iOS

* chore: added comment in sqlcipher process on iOS

* added parameter name for code readability

* chore: added missing comment

* RMET-2046 SQLite 3.33.0 update - Android (#12)

* feat: updated jars

* updated jars

* feat: updated gitignore. added db migration

* feat: added database migration

* fix: added migration code.

* chore: updated changelog

Co-authored-by: Christopher J. Brody <brodybits@litehelpers.net>
Co-authored-by: Christopher J. Brody <chris.brody@gmail.com>
Co-authored-by: Christopher J. Brody <chris@brody.consulting>
Co-authored-by: Christopher J. Brody <chris.brody+brodybits@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant