[](https://www.sqlite.org/src/info?name=586493be0d3a2fc1e6803577d683697dfefc0fb305cc966bb389ce4045cbc19d&ln=6384-6390) reads: ``` static int arExtractCommand(ArCommand *pAr){ const char *zSql1 = "SELECT " " ($dir || name)," " writefile(($dir || name), %s, mode, mtime) " "FROM %s WHERE (%s) AND (data IS NULL OR $dirOnly = 0)" " AND name NOT GLOB '*..[/\\]*'"; ``` If that last filter condition is meant to block directory traversal attacks, it should probably be: ``` " AND name NOT GLOB '..[/\\]*' AND name NOT GLOB '*[/\\]..[/\\]*'"; ``` i.e. separately match `../*` and `*/../*`. Otherwise, valid paths like `And so it begins.../script.txt` will be blocked: ``` $ sqlite3 SQLite version 3.35.5 2021-04-19 18:32:05 Enter ".help" for usage hints. Connected to a transient in-memory database. Use ".open FILENAME" to reopen on a persistent database. sqlite> CREATE TABLE test(name TEXT); sqlite> INSERT INTO test VALUES ('And so it begins.../script.txt'); sqlite> SELECT * FROM test WHERE name NOT GLOB '*..[/\]*'; sqlite> SELECT * FROM test WHERE name NOT GLOB '..[/\]*' AND name NOT GLOB '*[/\]..[/\]*'; And so it begins.../script.txt ```