Description
Unlike SQLite3::loadExtension, Pdo\Sqlite::loadExtension does not check sqlite3.extension_dir and calls sqlite3_load_extension with the absolute path to the extension parameter. This allows executing native code from PHP code subject to open_basedir / disable_functions (which are not security boundaries anyway).
|
if (!VCWD_REALPATH(extension, fullpath)) { |
|
zend_throw_exception_ex(php_pdo_get_exception(), 0, "Unable to load extension \"%s\"", extension); |
|
RETURN_THROWS(); |
|
} |
|
|
|
sqlite3 *sqlite_handle; |
|
sqlite_handle = db_handle->db; |
|
|
|
/* This only enables extension loading for the C api, not for SQL */ |
|
sqlite3_db_config(sqlite_handle, SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION, 1, NULL); |
|
|
|
if (sqlite3_load_extension(sqlite_handle, fullpath, 0, &errtext) != SQLITE_OK) { |
I'll open a PR with my patch later this week. It introduces a similar check to SQLite3::loadExtension and restricts extension loading to a trusted directory (sqlite3.extension_dir) set in advance.
PHP Version
PHP 8.6.0-dev (cli) (built: May 10 2026 23:58:07) (NTS)
Copyright © The PHP Group and Contributors
Zend Engine v4.6.0-dev, Copyright © Zend by Perforce
with Zend OPcache v8.6.0-dev, Copyright ©, by Zend by Perforce
Operating System
No response
Description
Unlike
SQLite3::loadExtension,Pdo\Sqlite::loadExtensiondoes not checksqlite3.extension_dirand callssqlite3_load_extensionwith the absolute path to theextensionparameter. This allows executing native code from PHP code subject toopen_basedir/disable_functions(which are not security boundaries anyway).php-src/ext/pdo_sqlite/pdo_sqlite.c
Lines 102 to 113 in 769441b
I'll open a PR with my patch later this week. It introduces a similar check to
SQLite3::loadExtensionand restricts extension loading to a trusted directory (sqlite3.extension_dir) set in advance.PHP Version
Operating System
No response