gh-80254: Disallow recursive usage of cursors in sqlite3 converters

[erlend-aasland]

Original PR: GH-11984

Fixes #80254

https://bugs.python.org/issue36073

[bedevere-bot]

🤖 New build scheduled with the buildbot fleet by @erlend-aasland for commit bb0a729 🤖

If you want to schedule another build, you need to add the ":hammer: test-with-buildbots" label again.

[erlend-aasland]

Buildbot comments:

• buildbot/x86 Gentoo Installed with X PR: test_tk and test_ttk_guionly failed => unrelated
• buildbot/x86 Gentoo Non-Debug with X PR: ditto

[erlend-aasland]

On hold until end of week: #29054 (comment)

[sir-sigurd]

@erlend-aasland, sorry for delay, I closed my PR.

[MaxwellDupre]

I think it would be a good idea to mention in the Docs. If already there please show ref.

[erlend-aasland]

I think it would be a good idea to mention in the Docs. If already there please show ref.

@MaxwellDupre, can you please explain why? I think we should not try to encourage users to shoot themselves in the foot with adapters and converters (or at all), so I prefer, very strongly, not to mention this in the docs.

[miss-islington]

Thanks @erlend-aasland for the PR, and @JelleZijlstra for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10.
🐍🍒⛏🤖

[miss-islington]

Sorry, @erlend-aasland and @JelleZijlstra, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker f629dcfe835e349433e4c5099381d668e8fe69c8 3.10

[miss-islington]

Sorry @erlend-aasland and @JelleZijlstra, I had trouble checking out the 3.9 backport branch.
Please backport using cherry_picker on command line.
cherry_picker f629dcfe835e349433e4c5099381d668e8fe69c8 3.9

[erlend-aasland]

I'll fix the backports

[JelleZijlstra]

Thanks! I think it should go into the security branches too, because every segfault is potentially an exploitable security issue. @ambv what do you think?

[ambv]

@JelleZijlstra, correct! Crashers are DoS and as such are treated as security issues.

[miss-islington]

Thanks @erlend-aasland for the PR, and @JelleZijlstra for merging it 🌮🎉.. I'm working now to backport this PR to: 3.8.
🐍🍒⛏🤖

[miss-islington]

Thanks @erlend-aasland for the PR, and @JelleZijlstra for merging it 🌮🎉.. I'm working now to backport this PR to: 3.7.
🐍🍒⛏🤖

[miss-islington]

Sorry, @erlend-aasland and @JelleZijlstra, I could not cleanly backport this to 3.8 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker f629dcfe835e349433e4c5099381d668e8fe69c8 3.8

[miss-islington]

Sorry @erlend-aasland and @JelleZijlstra, I had trouble checking out the 3.7 backport branch.
Please backport using cherry_picker on command line.
cherry_picker f629dcfe835e349433e4c5099381d668e8fe69c8 3.7

[erlend-aasland]

@JelleZijlstra, correct! Crashers are DoS and as such are treated as security issues.

Thanks for that fact regarding crashers, I was unaware! 📝

I'll fix the backports as soon as possible (currently on my way back home from pycon).

[JelleZijlstra]

Thanks! I looked at the 3.10 backport for a while but I'm not sure where the refleak is.

[erlend-aasland]

Thanks! I looked at the 3.10 backport for a while but I'm not sure where the refleak is.

No worries, I found and fixed it in flight to Chicago. I've yet to push it though. But 3.9 contains even more ref. leaks! Looking into that soon.

[erlend-aasland]

FTR (also cross-posting this list on the issue):

• 3.10 backport: [3.10] gh-80254: Disallow recursive usage of cursors in sqlite3 converters #92274
• 3.9 backport: [3.9] gh-80254: Disallow recursive usage of cursors in sqlite3 converters #92278
• 3.8 backport: [3.8] gh-80254: Disallow recursive usage of cursors in sqlite3 converters #92333
• 3.7 backport: [3.7] gh-80254: Disallow recursive usage of cursors in sqlite3 converters #92334