From 28ae0c46707486f314b7a69e73cd3496c7ef6237 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 29 Nov 2022 12:17:54 +0100
Subject: [PATCH 1/2] Fix #81742: open_basedir bypass in SQLite3 by using file
 URI

A previous fix[1] was not sufficient to catch all potential file URIs,
because the patch did not cater to URL encoding.  Properly parsing and
decoding the URI may yield a different result than the handling of
SQLite3, so we play it safe, and reject any file URIs if open_basedir
is configured.

[1] <https://bugs.php.net/bug.php?id=77967>
---
 ext/sqlite3/sqlite3.c           |  8 ++------
 ext/sqlite3/tests/bug81742.phpt | 13 +++++++++++++
 2 files changed, 15 insertions(+), 6 deletions(-)
 create mode 100644 ext/sqlite3/tests/bug81742.phpt

diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
index b0924d5857e16..615055dc6aebc 100644
--- a/ext/sqlite3/sqlite3.c
+++ b/ext/sqlite3/sqlite3.c
@@ -2040,14 +2040,10 @@ static int php_sqlite3_authorizer(void *autharg, int action, const char *arg1, c
 			if (memcmp(arg1, ":memory:", sizeof(":memory:")) && *arg1) {
 				if (strncmp(arg1, "file:", 5) == 0) {
 					/* starts with "file:" */
-					if (!arg1[5]) {
+					if (PG(open_basedir) && *PG(open_basedir)) {
 						return SQLITE_DENY;
 					}
-					if (php_check_open_basedir(arg1 + 5)) {
-						return SQLITE_DENY;
-					}
-				}
-				if (php_check_open_basedir(arg1)) {
+				} else if (php_check_open_basedir(arg1)) {
 					return SQLITE_DENY;
 				}
 			}
diff --git a/ext/sqlite3/tests/bug81742.phpt b/ext/sqlite3/tests/bug81742.phpt
new file mode 100644
index 0000000000000..3aa90a6d1133c
--- /dev/null
+++ b/ext/sqlite3/tests/bug81742.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #81742 (open_basedir bypass in SQLite3 by using url encoded file)
+--EXTENSIONS--
+sqlite3
+--INI--
+open_basedir=.
+--FILE--
+<?php
+$db = new SQLite3(':memory:');
+$db->query("ATTACH 'file:..%2ffoo.php' as db2;");
+?>
+--EXPECTF--
+Warning: SQLite3::query(): not authorized in %s on line %d

From 4be441c89abca18dc51a40e06ad06e07193e9602 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 5 Dec 2022 16:26:02 +0100
Subject: [PATCH 2/2] Remove superfluous check

---
 ext/sqlite3/sqlite3.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
index 615055dc6aebc..d1a85e96009d6 100644
--- a/ext/sqlite3/sqlite3.c
+++ b/ext/sqlite3/sqlite3.c
@@ -2040,9 +2040,7 @@ static int php_sqlite3_authorizer(void *autharg, int action, const char *arg1, c
 			if (memcmp(arg1, ":memory:", sizeof(":memory:")) && *arg1) {
 				if (strncmp(arg1, "file:", 5) == 0) {
 					/* starts with "file:" */
-					if (PG(open_basedir) && *PG(open_basedir)) {
-						return SQLITE_DENY;
-					}
+					return SQLITE_DENY;
 				} else if (php_check_open_basedir(arg1)) {
 					return SQLITE_DENY;
 				}