Merge branch 'PHP-8.1' into PHP-8.2

cmb69 · cmb69 · commit 830180341bb4 · 2022-12-06T16:00:49.000+01:00
* PHP-8.1:
  Fix #81742: open_basedir bypass in SQLite3 by using file URI
diff --git a/NEWS b/NEWS
@@ -52,6 +52,9 @@ PHP                                                                        NEWS
   . Fixed GH-10011 (Trampoline autoloader will get reregistered and cannot be
     unregistered). (Girgias)
 
+- SQLite3:
+  . Fixed bug #81742 (open_basedir bypass in SQLite3 by using file URI). (cmb)
+
 08 Dec 2022, PHP 8.2.0
 
 - CLI:
diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
@@ -2073,14 +2073,8 @@ static int php_sqlite3_authorizer(void *autharg, int action, const char *arg1, c
 			if (memcmp(arg1, ":memory:", sizeof(":memory:")) && *arg1) {
 				if (strncmp(arg1, "file:", 5) == 0) {
 					/* starts with "file:" */
-					if (!arg1[5]) {
-						return SQLITE_DENY;
-					}
-					if (php_check_open_basedir(arg1 + 5)) {
-						return SQLITE_DENY;
-					}
-				}
-				if (php_check_open_basedir(arg1)) {
+					return SQLITE_DENY;
+				} else if (php_check_open_basedir(arg1)) {
 					return SQLITE_DENY;
 				}
 			}
diff --git a/ext/sqlite3/tests/bug81742.phpt b/ext/sqlite3/tests/bug81742.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #81742 (open_basedir bypass in SQLite3 by using url encoded file)
+--EXTENSIONS--
+sqlite3
+--INI--
+open_basedir=.
+--FILE--
+<?php
+$db = new SQLite3(':memory:');
+$db->query("ATTACH 'file:..%2ffoo.php' as db2;");
+?>
+--EXPECTF--
+Warning: SQLite3::query(): not authorized in %s on line %d
