OK, so, if this is what it is, then my question from earlier can be answered, I suppose. It is with FTS3, and the new defensive mode should be able to prevent it (there are also bug fixes to prevent it, even if you do not use the defensive mode). I have not used any of the FTS extensions, but in future I might. Now I can know what is the vulnerability.
(I do not use Chrome or Chromium, although this article is good to me anyways since it explains what the vulnerability is, since I do use SQLite.)
WebSQL was replaced as a specification by IndexedDB, and Mozilla and Microsoft publicly opposed implementing it. Google has said in the past that they have no plans to remove it from Chrome, although given that they're shutting down Google+ due to vulnerabilities, I am curious if they are going to change their minds.
I think the Google+ shutdown has more to do with the G+ data leaks and increased scrutiny social media platforms are coming under because of fake news and fb political issues.
You cant even disable it, its like Google really really wants it present on every computer out there. What one could do is write an extension to stub it out.
The offending WebSQL statements are as follows:
DROP TABLE IF EXISTS ft;
CREATE VIRTUAL TABLE ft USING fts3;
INSERT INTO ft VALUES('aback');
INSERT INTO ft VALUES('abaft');
INSERT INTO ft VALUES('abandon');
SELECT quote(root) from ft_segdir;
UPDATE ft_segdir SET root = X'0005616261636B03010200FFFFFFFF070266740302020003046E646F6E03030200';
SELECT * FROM ft WHERE ft MATCH 'abandon';
Source: https://github.com/zhuowei/worthdoingbadly.com/blob/master/_...
OK, so, if this is what it is, then my question from earlier can be answered, I suppose. It is with FTS3, and the new defensive mode should be able to prevent it (there are also bug fixes to prevent it, even if you do not use the defensive mode). I have not used any of the FTS extensions, but in future I might. Now I can know what is the vulnerability.
(I do not use Chrome or Chromium, although this article is good to me anyways since it explains what the vulnerability is, since I do use SQLite.)
Still no CVE assigned, and no-one has requested, not even via https://iwantacve.org/
isn't WebSql deprecated and will be removed from chrome?
Work on the specification stopped in 2010 but it's not been removed from the browsers that supported it.
WebSQL was replaced as a specification by IndexedDB, and Mozilla and Microsoft publicly opposed implementing it. Google has said in the past that they have no plans to remove it from Chrome, although given that they're shutting down Google+ due to vulnerabilities, I am curious if they are going to change their minds.
They are shutting down Google+ because no one uses it and they don't want to spend any money on developers maintaining a pointless product...
I think the Google+ shutdown has more to do with the G+ data leaks and increased scrutiny social media platforms are coming under because of fake news and fb political issues.
Perfect scapegoat to sunset a product that one one uses.
You cant even disable it, its like Google really really wants it present on every computer out there. What one could do is write an extension to stub it out.