https://www.sqlite.org/src/info?name=586493be0d3a2fc1e6803577d683697dfefc0fb305cc966bb389ce4045cbc19d&ln=6384-6390 reads:
static int arExtractCommand(ArCommand *pAr){
const char *zSql1 =
"SELECT "
" ($dir || name),"
" writefile(($dir || name), %s, mode, mtime) "
"FROM %s WHERE (%s) AND (data IS NULL OR $dirOnly = 0)"
" AND name NOT GLOB '*..[/\\]*'";
If that last filter condition is meant to block directory traversal attacks, it should probably be:
" AND name NOT GLOB '..[/\\]*' AND name NOT GLOB '*[/\\]..[/\\]*'";
i.e. separately match
../*
and
*/../*
. Otherwise, valid paths like
And so it begins.../script.txt
will be blocked:
$ sqlite3
SQLite version 3.35.5 2021-04-19 18:32:05
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> CREATE TABLE test(name TEXT);
sqlite> INSERT INTO test VALUES ('And so it begins.../script.txt');
sqlite> SELECT * FROM test WHERE name NOT GLOB '*..[/\]*';
sqlite> SELECT * FROM test WHERE name NOT GLOB '..[/\]*' AND name NOT GLOB '*[/\]..[/\]*';
And so it begins.../script.txt