Fix #81742: open_basedir bypass in SQLite3 by using file URI

A previous fix[1] was not sufficient to catch all potential file URIs,
because the patch did not cater to URL encoding.  Properly parsing and
decoding the URI may yield a different result than the handling of
SQLite3, so we play it safe, and reject any file URIs if open_basedir
is configured.

[1] <https://bugs.php.net/bug.php?id=77967>

Closes GH-10018.

Author: cmb69

NEWS

@@ -57,6 +57,9 @@ PHP                                                                        NEWS
   . Fixed GH-10011 (Trampoline autoloader will get reregistered and cannot be
     unregistered). (Girgias)
 
+- SQLite3:
+  . Fixed bug #81742 (open_basedir bypass in SQLite3 by using file URI). (cmb)
+
 24 Nov 2022, PHP 8.1.13
 
 - CLI:

ext/sqlite3/sqlite3.c

@@ -2040,14 +2040,8 @@ static int php_sqlite3_authorizer(void *autharg, int action, const char *arg1, c
 			if (memcmp(arg1, ":memory:", sizeof(":memory:")) && *arg1) {
 				if (strncmp(arg1, "file:", 5) == 0) {
 					/* starts with "file:" */
-					if (!arg1[5]) {
-						return SQLITE_DENY;
-					}
-					if (php_check_open_basedir(arg1 + 5)) {
-						return SQLITE_DENY;
-					}
-				}
-				if (php_check_open_basedir(arg1)) {
+					return SQLITE_DENY;
+				} else if (php_check_open_basedir(arg1)) {
 					return SQLITE_DENY;
 				}
 			}

ext/sqlite3/tests/bug81742.phpt

@@ -0,0 +1,13 @@
+--TEST--
+Bug #81742 (open_basedir bypass in SQLite3 by using url encoded file)
+--EXTENSIONS--
+sqlite3
+--INI--
+open_basedir=.
+--FILE--
+<?php
+$db = new SQLite3(':memory:');
+$db->query("ATTACH 'file:..%2ffoo.php' as db2;");
+?>
+--EXPECTF--
+Warning: SQLite3::query(): not authorized in %s on line %d