SQLite Forum

Bug: incorrect filter expression in arExtractCommand()
Login

Bug: incorrect filter expression in arExtractCommand()

(1) By Adrian Ho (lexfiend) on 2021-06-14 03:40:52 [source]

https://www.sqlite.org/src/info?name=586493be0d3a2fc1e6803577d683697dfefc0fb305cc966bb389ce4045cbc19d&ln=6384-6390 reads:

static int arExtractCommand(ArCommand *pAr){
  const char *zSql1 = 
    "SELECT "
    " ($dir || name),"
    " writefile(($dir || name), %s, mode, mtime) "
    "FROM %s WHERE (%s) AND (data IS NULL OR $dirOnly = 0)"
    " AND name NOT GLOB '*..[/\\]*'";
If that last filter condition is meant to block directory traversal attacks, it should probably be:
    " AND name NOT GLOB '..[/\\]*' AND name NOT GLOB '*[/\\]..[/\\]*'";
i.e. separately match ../* and */../*. Otherwise, valid paths like And so it begins.../script.txt will be blocked:

$ sqlite3
SQLite version 3.35.5 2021-04-19 18:32:05
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> CREATE TABLE test(name TEXT);

sqlite> INSERT INTO test VALUES ('And so it begins.../script.txt');

sqlite> SELECT * FROM test WHERE name NOT GLOB '*..[/\]*';

sqlite> SELECT * FROM test WHERE name NOT GLOB '..[/\]*' AND name NOT GLOB '*[/\]..[/\]*';
And so it begins.../script.txt