Allow to specify SQLite URI filenames to PDO DSN

[tzmfreedom]

SQLite allows to URI filenames to setup database configuration.
https://www.sqlite.org/uri.html
https://www.sqlite.org/c3ref/open.html#urifilenameexamples

With URI filename, we can specify query parameters to setup SQLite configuration, for example mode=ro disables write access, nolock=1 disables file locking.

In current PHP implementation, we cannot specify URI filenames because of expanding filename process, so this PR resolve it.

Example usage:

$pdo = new PDO('sqlite3:file:/tmp/db.sqlite?mode=ro');

[nikic]

As implemented, this allows an open_basedir bypass by prefixing with file:. It would be necessary to parse out the filename portion from the URI and validate it. Or alternatively don't permit the URI form if open_basedir is enabled.

Though this is actually a pre-existing problem, as one could manually specify SQLITE_OPEN_URI via PDO::SQLITE_ATTR_OPEN_FLAGS. We should probably explicitly filter out SQLITE_OPEN_URI under open_basedir. cc @cmb69

[nikic]

Though this is actually a pre-existing problem, as one could manually specify SQLITE_OPEN_URI via PDO::SQLITE_ATTR_OPEN_FLAGS. We should probably explicitly filter out SQLITE_OPEN_URI under open_basedir. cc @cmb69

Ah no, that's not right. There's no problem right now, as we'd treat the file: as part of the filename.

[tzmfreedom]

Thank you for review.

As implemented, this allows an open_basedir bypass by prefixing with file:. It would be necessary to parse out the filename portion from the URI and validate it. Or alternatively don't permit the URI form if open_basedir is enabled.

I fixed, so it parse filename portion and validate it with php_check_open_basedir.

[nikic]

I pushed an additional test for check the open_basedir part. @cmb69 Do you see any issues with this?

[cmb69]

Hm, would that really work with arbitrary file:// URIs? E.g. when there is %2f in the path component.

[tzmfreedom]

If the filename or query parameter contains %2fin path component, decoded string / is recognized by sqlite.

$db = new \PDO('sqlite:file:/Users/foo%20bar%2fexample.db');
// => Access to "/Users/foo bar/example.db"

$db = new \PDO('sqlite:file:/Users/foo/example.db?mode=%2f');
// => Fatal error: Uncaught PDOException: SQLSTATE[HY000] [1] no such access mode: / in ...

But, I find my mistake that the current change on this PullRequest is not considered about file://{authority}/ or file:/// formatted URI. So I fixed it. 85f5361

[cmb69]

If the filename or query parameter contains %2fin path component, decoded string / is recognized by sqlite.

Yes, but it is also correctly handled by expand_filepath()?

[nikic]

I don't think we'll want to parse/decode the URL, as we could easily end up interpreting it differently than sqlite3 will. I think the path of least resistance here it to simply disable the SQLITE_OPEN_URI feature under open_basedir entirely.

[tzmfreedom]

Thank you for your advice.
I've changed that it disable SQLITE_OPEN_URI feature when open_basedir is set: 25d4392

[nikic]

This looks good to me. @cmb69 Any further concerns?

[cmb69]

Nope; should be okay. :)