summaryrefslogtreecommitdiffstats
path: root/php-bug77967.patch
blob: dad858593b3aacbdd3fcc64013b09ef7cf0cb3fb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
From 7de8c0284cd9e237eb8a1faa9b41af1d3ef32ea9 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 27 May 2019 18:04:00 -0700
Subject: [PATCH] Fix bug #77967 - Bypassing open_basedir restrictions via file
 uris

(cherry picked from commit c34895e837b50213c2bb201c612904342d2bd216)
---
 NEWS                  | 7 +++++--
 ext/sqlite3/sqlite3.c | 9 +++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 9345c039a2..cff9517ed5 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,9 @@ Backported from 7.1.30
   . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
     due to integer overflow). (CVE-2019-11039). (maris dot adam)
 
+- SQLite:
+  . Fixed bug #77967 (Bypassing open_basedir restrictions via file uris). (Stas)
+
 Backported from 7.1.29
 
 - EXIF
@@ -26,8 +29,8 @@ Backported from 7.1.28
 - EXIF:
   . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (CVE-2019-11034)
     (Stas)
-  . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). 
-	(CVE-2019-11035) (Stas)
+  . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value).
+    (CVE-2019-11035) (Stas)
 
 - SQLite3:
   . Added sqlite3.defensive INI directive. (BohwaZ)
diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
index 761b777d06..7bf873ff69 100644
--- a/ext/sqlite3/sqlite3.c
+++ b/ext/sqlite3/sqlite3.c
@@ -2062,6 +2062,15 @@ static int php_sqlite3_authorizer(void *autharg, int access_type, const char *ar
 				}
 #endif
 
+				if (strncmp(arg3, "file:", 5) == 0) {
+					/* starts with "file:" */
+					if (!arg3[5]) {
+						return SQLITE_DENY;
+					}
+					if (php_check_open_basedir(arg3 + 5 TSRMLS_CC)) {
+						return SQLITE_DENY;
+					}
+				}
 				if (php_check_open_basedir(arg3 TSRMLS_CC)) {
 					return SQLITE_DENY;
 				}