diff options
author | Stanislav Malyshev <stas@php.net> | 2019-05-27 18:04:00 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2019-05-27 18:48:48 -0700 |
commit | c34895e837b50213c2bb201c612904342d2bd216 (patch) | |
tree | aeeca517f903a44ee6d80a7d1ecabcf5e7fbb5b4 | |
parent | 73ff4193be24192c894dc0502d06e2b2db35eefb (diff) | |
download | php-git-c34895e837b50213c2bb201c612904342d2bd216.tar.gz |
Fix bug #77967 - Bypassing open_basedir restrictions via file uris
-rw-r--r-- | NEWS | 9 | ||||
-rw-r--r-- | ext/sqlite3/sqlite3.c | 9 |
2 files changed, 15 insertions, 3 deletions
@@ -3,7 +3,7 @@ PHP NEWS ?? ??? 2019, PHP 7.1.30 - EXIF: - . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16). + . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16). (CVE-2019-11040) (Stas) - GD: @@ -14,6 +14,9 @@ PHP NEWS . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow). (CVE-2019-11039). (maris dot adam) +- SQLite: + . Fixed bug #77967 (Bypassing open_basedir restrictions via file uris). (Stas) + 03 May 2019, PHP 7.1.29 - EXIF: @@ -28,8 +31,8 @@ PHP NEWS - EXIF: . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (CVE-2019-11034) (Stas) - . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). - (CVE-2019-11035) (Stas) + . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). + (CVE-2019-11035) (Stas) - SQLite3: . Added sqlite3.defensive INI directive. (BohwaZ) diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c index 7e7a3a0454..9e70f06651 100644 --- a/ext/sqlite3/sqlite3.c +++ b/ext/sqlite3/sqlite3.c @@ -2034,6 +2034,15 @@ static int php_sqlite3_authorizer(void *autharg, int access_type, const char *ar case SQLITE_ATTACH: { if (memcmp(arg3, ":memory:", sizeof(":memory:")) && *arg3) { + if (strncmp(arg3, "file:", 5) == 0) { + /* starts with "file:" */ + if (!arg3[5]) { + return SQLITE_DENY; + } + if (php_check_open_basedir(arg3 + 5)) { + return SQLITE_DENY; + } + } if (php_check_open_basedir(arg3)) { return SQLITE_DENY; } |