Currently search_id() looks for the latest matching entry by login time:
|
char *sql = "SELECT ID FROM wtmp WHERE TTY = ? AND Logout IS NULL ORDER BY Login DESC LIMIT 1"; |
Isn't this vulnerable to if the system time has ever been later than now (sadly, it happens!) and then returning a wrong, 'earlier', record?
How about changing the ordering to descending order of row ID if sqlite3 guarantees this is always monotonically increasing? Perhaps that would even be more performant if sqlite3 backs the primary key with an index, which I imagine it does!
Currently
search_id()looks for the latest matching entry by login time:wtmpdb/lib/sqlite.c
Line 361 in 4e4b54e
Isn't this vulnerable to if the system time has ever been later than now (sadly, it happens!) and then returning a wrong, 'earlier', record?
How about changing the ordering to descending order of row ID if sqlite3 guarantees this is always monotonically increasing? Perhaps that would even be more performant if sqlite3 backs the primary key with an index, which I imagine it does!