mirror of
https://github.com/php/php-src.git
synced 2026-03-24 08:12:21 +01:00
2f6b9e6c63
A previous fix[1] was not sufficient to catch all potential file URIs, because the patch did not cater to URL encoding. Properly parsing and decoding the URI may yield a different result than the handling of SQLite3, so we play it safe, and reject any file URIs if open_basedir is configured. [1] <https://bugs.php.net/bug.php?id=77967> Closes GH-10018.
14 lines
295 B
PHP
14 lines
295 B
PHP
--TEST--
|
|
Bug #81742 (open_basedir bypass in SQLite3 by using url encoded file)
|
|
--EXTENSIONS--
|
|
sqlite3
|
|
--INI--
|
|
open_basedir=.
|
|
--FILE--
|
|
<?php
|
|
$db = new SQLite3(':memory:');
|
|
$db->query("ATTACH 'file:..%2ffoo.php' as db2;");
|
|
?>
|
|
--EXPECTF--
|
|
Warning: SQLite3::query(): not authorized in %s on line %d
|