Index: src/main.c ================================================================== --- src/main.c +++ src/main.c @@ -1826,10 +1826,17 @@ /* Discard the scheme and authority segments of the URI. */ if( zUri[5]=='/' && zUri[6]=='/' ){ iIn = 7; while( zUri[iIn] && zUri[iIn]!='/' ) iIn++; + + if( iIn!=7 && (iIn!=16 || memcmp("localhost", &zUri[7], 9)) ){ + *pzErrMsg = sqlite3_mprintf("invalid uri authority: %.*s", + iIn-7, &zUri[7]); + rc = SQLITE_ERROR; + goto parse_uri_out; + } }else{ iIn = 5; } /* Copy the filename and any query parameters into the zFile buffer. Index: test/uri.test ================================================================== --- test/uri.test +++ test/uri.test @@ -31,11 +31,11 @@ # Test that file names are correctly extracted from URIs. # foreach {tn uri file} { 1 test.db test.db 2 file:test.db test.db - 3 file://an-authorityPWD/test.db test.db + 3 file://PWD/test.db test.db 4 file:PWD/test.db test.db 5 file:test.db?mork=1 test.db 6 file:test.db?mork=1&tonglor=2 test.db 7 file:test.db?mork=1#boris test.db 8 file:test.db#boris test.db @@ -42,11 +42,11 @@ 9 test.db#boris test.db#boris 10 test.db?mork=1#boris test.db?mork=1#boris 11 file:test%2Edb test.db 12 file file 13 http:test.db http:test.db - 14 file://xyzPWD/test.db%3Fhello test.db?hello + 14 file://localhostPWD/test.db%3Fhello test.db?hello 15 file:test.db%00extra test.db 16 file:test%00.db%00extra test } { set uri [string map [list PWD [pwd]] $uri] set file [string map [list PWD [pwd]] $file] @@ -62,11 +62,10 @@ sqlite3 db xxx.db execsql { ATTACH $uri AS aux } do_test 1.$tn.4 { file exists $file } 1 db close } - #------------------------------------------------------------------------- # Test that URI query parameters are passed through to the VFS layer # correctly. # @@ -240,8 +239,28 @@ } {test.db2 test.db2-journal test.db2-wal} db close tvfs1 delete tvfs2 delete + +#------------------------------------------------------------------------- +# Check that only "" and "localhost" are acceptable as authorities. +# +catch {db close} +foreach {tn uri res} { + 1 "file://localhost/PWD/test.db" {not an error} + 2 "file:///PWD/test.db" {not an error} + 3 "file:/PWD/test.db" {not an error} + 4 "file://l%6Fcalhost/PWD/test.db" {invalid uri authority: l%6Fcalhost} + 5 "file://lbcalhost/PWD/test.db" {invalid uri authority: lbcalhost} + 6 "file://x/PWD/test.db" {invalid uri authority: x} +} { + set uri [string map [list PWD [string range [pwd] 1 end]] $uri] + do_test 6.$tn { + set DB [sqlite3_open $uri] + sqlite3_errmsg $DB + } $res + catch { sqlite3_close $DB } +} finish_test