Fix bug #77967 - Bypassing open_basedir restrictions via file uris

smalyshev · smalyshev · commit ce1447e302e5 · 2019-06-05T22:43:45.000-07:00
diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
@@ -2012,8 +2012,16 @@ static int php_sqlite3_authorizer(void *autharg, int access_type, const char *ar
 					return SQLITE_DENY;
 				}
 #endif
-
-				if (php_check_open_basedir(arg3 TSRMLS_CC)) {
+				if (strncmp(arg3, "file:", 5) == 0) {
+					/* starts with "file:" */
+					if (!arg3[5]) {
+						return SQLITE_DENY;
+					}
+					if (php_check_open_basedir(arg3 + 5 TSRMLS_CC)) {
+						return SQLITE_DENY;
+					}
+				}
+                if (php_check_open_basedir(arg3 TSRMLS_CC)) {
 					return SQLITE_DENY;
 				}
 			}

Original file line number	Diff line number	Diff line change
`@@ -2012,8 +2012,16 @@ static int php_sqlite3_authorizer(void autharg, int access_type, const char ar`
`2012`	`2012`	`return SQLITE_DENY;`
`2013`	`2013`	`}`
`2014`	`2014`	`#endif`
`2015`		`-`
`2016`		`- if (php_check_open_basedir(arg3 TSRMLS_CC)) {`
	`2015`	`+ if (strncmp(arg3, "file:", 5) == 0) {`
	`2016`	`+ /* starts with "file:" */`
	`2017`	`+ if (!arg3[5]) {`
	`2018`	`+ return SQLITE_DENY;`
	`2019`	`+ }`
	`2020`	`+ if (php_check_open_basedir(arg3 + 5 TSRMLS_CC)) {`
	`2021`	`+ return SQLITE_DENY;`
	`2022`	`+ }`
	`2023`	`+ }`
	`2024`	`+ if (php_check_open_basedir(arg3 TSRMLS_CC)) {`
`2017`	`2025`	`return SQLITE_DENY;`
`2018`	`2026`	`}`
`2019`	`2027`	`}`