php · cmb69 · Nov 29, 2022 · Dec 5, 2022
diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
@@ -2040,14 +2040,8 @@ static int php_sqlite3_authorizer(void *autharg, int action, const char *arg1, c
 			if (memcmp(arg1, ":memory:", sizeof(":memory:")) && *arg1) {
 				if (strncmp(arg1, "file:", 5) == 0) {
 					/* starts with "file:" */
-					if (!arg1[5]) {
-						return SQLITE_DENY;
-					}
-					if (php_check_open_basedir(arg1 + 5)) {
-						return SQLITE_DENY;
-					}
-				}
-				if (php_check_open_basedir(arg1)) {
+					return SQLITE_DENY;
+				} else if (php_check_open_basedir(arg1)) {
 					return SQLITE_DENY;
 				}
 			}

diff --git a/ext/sqlite3/tests/bug81742.phpt b/ext/sqlite3/tests/bug81742.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #81742 (open_basedir bypass in SQLite3 by using url encoded file)
+--EXTENSIONS--
+sqlite3
+--INI--
+open_basedir=.
+--FILE--
+<?php
+$db = new SQLite3(':memory:');
+$db->query("ATTACH 'file:..%2ffoo.php' as db2;");
+?>
+--EXPECTF--
+Warning: SQLite3::query(): not authorized in %s on line %d