Fix bug #77967 - Bypassing open_basedir restrictions via file uris

2 files changed, 15 insertions, 3 deletions

diff --git a/NEWS b/NEWS
index f771d2092c..5c8d7d0fb8 100644
--- a/NEWS
+++ b/NEWS
@@ -3,7 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2019, PHP 7.1.30
 
 - EXIF:
-  . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16). 
+  . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16).
   (CVE-2019-11040) (Stas)
 
 - GD:
@@ -14,6 +14,9 @@ PHP                                                                        NEWS
   . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
   due to integer overflow). (CVE-2019-11039). (maris dot adam)
 
+- SQLite:
+  . Fixed bug #77967 (Bypassing open_basedir restrictions via file uris). (Stas)
+
 03 May 2019, PHP 7.1.29
 
 - EXIF:
@@ -28,8 +31,8 @@ PHP                                                                        NEWS
 - EXIF:
   . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (CVE-2019-11034)
     (Stas)
-  . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). 
-	(CVE-2019-11035) (Stas)
+  . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value).
+    (CVE-2019-11035) (Stas)
 
 - SQLite3:
   . Added sqlite3.defensive INI directive. (BohwaZ)
diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
index 7e7a3a0454..9e70f06651 100644
--- a/ext/sqlite3/sqlite3.c
+++ b/ext/sqlite3/sqlite3.c
@@ -2034,6 +2034,15 @@ static int php_sqlite3_authorizer(void *autharg, int access_type, const char *ar
 		case SQLITE_ATTACH:
 		{
 			if (memcmp(arg3, ":memory:", sizeof(":memory:")) && *arg3) {
+				if (strncmp(arg3, "file:", 5) == 0) {
+					/* starts with "file:" */
+					if (!arg3[5]) {
+						return SQLITE_DENY;
+					}
+					if (php_check_open_basedir(arg3 + 5)) {
+						return SQLITE_DENY;
+					}
+				}
 				if (php_check_open_basedir(arg3)) {
 					return SQLITE_DENY;
 				}