Index: src/main.c
==================================================================
--- src/main.c
+++ src/main.c
@@ -1826,10 +1826,17 @@
 
     /* Discard the scheme and authority segments of the URI. */
     if( zUri[5]=='/' && zUri[6]=='/' ){
       iIn = 7;
       while( zUri[iIn] && zUri[iIn]!='/' ) iIn++;
+
+      if( iIn!=7 && (iIn!=16 || memcmp("localhost", &zUri[7], 9)) ){
+        *pzErrMsg = sqlite3_mprintf("invalid uri authority: %.*s", 
+            iIn-7, &zUri[7]);
+        rc = SQLITE_ERROR;
+        goto parse_uri_out;
+      }
     }else{
       iIn = 5;
     }
 
     /* Copy the filename and any query parameters into the zFile buffer. 

Index: test/uri.test
==================================================================
--- test/uri.test
+++ test/uri.test
@@ -31,11 +31,11 @@
 # Test that file names are correctly extracted from URIs.
 #
 foreach {tn uri file} {
   1      test.db                            test.db
   2      file:test.db                       test.db
-  3      file://an-authorityPWD/test.db     test.db
+  3      file://PWD/test.db     test.db
   4      file:PWD/test.db                   test.db
   5      file:test.db?mork=1                test.db
   6      file:test.db?mork=1&tonglor=2      test.db
   7      file:test.db?mork=1#boris          test.db
   8      file:test.db#boris                 test.db
@@ -42,11 +42,11 @@
   9      test.db#boris                      test.db#boris
   10     test.db?mork=1#boris               test.db?mork=1#boris
   11     file:test%2Edb                     test.db
   12     file                               file
   13     http:test.db                       http:test.db
-  14     file://xyzPWD/test.db%3Fhello      test.db?hello
+  14     file://localhostPWD/test.db%3Fhello   test.db?hello
   15     file:test.db%00extra               test.db
   16     file:test%00.db%00extra            test
 } {
   set uri  [string map [list PWD [pwd]] $uri]
   set file [string map [list PWD [pwd]] $file]
@@ -62,11 +62,10 @@
   sqlite3 db xxx.db
   execsql { ATTACH $uri AS aux }
   do_test 1.$tn.4 { file exists $file } 1
   db close
 }
-
 
 #-------------------------------------------------------------------------
 # Test that URI query parameters are passed through to the VFS layer
 # correctly.
 #
@@ -240,8 +239,28 @@
 } {test.db2 test.db2-journal test.db2-wal}
 
 db close
 tvfs1 delete
 tvfs2 delete
+
+#-------------------------------------------------------------------------
+# Check that only "" and "localhost" are acceptable as authorities.
+#
+catch {db close}
+foreach {tn uri res} {
+  1     "file://localhost/PWD/test.db"   {not an error}
+  2     "file:///PWD/test.db"            {not an error}
+  3     "file:/PWD/test.db"              {not an error}
+  4     "file://l%6Fcalhost/PWD/test.db" {invalid uri authority: l%6Fcalhost}
+  5     "file://lbcalhost/PWD/test.db"   {invalid uri authority: lbcalhost}
+  6     "file://x/PWD/test.db"           {invalid uri authority: x}
+} {
+  set uri  [string map [list PWD [string range [pwd] 1 end]] $uri]
+  do_test 6.$tn {
+    set DB [sqlite3_open $uri]
+    sqlite3_errmsg $DB
+  } $res
+  catch { sqlite3_close $DB }
+}
 
 finish_test