From 9c2e03144289a3cecaee61457f7dfea53157f92c Mon Sep 17 00:00:00 2001
From: drh <>
Date: Sat, 29 Nov 2025 18:59:58 +0000
Subject: [PATCH] Additional defenses against using the ".open" command of the
 CLI in --safe mode.

FossilOrigin-Name: eec0b80e53bb54ee05a4903cfb967cc2914cdcc735f1218922a0f9c80399c3e8
---
 manifest       | 12 ++++++------
 manifest.uuid  |  2 +-
 src/shell.c.in |  6 ++++--
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/manifest b/manifest
index 2c3733e775..cdb37fdada 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Update\sthe\sdocumentation\sto\ssqlite3_str_finish().\s\sThat\sfunction\smight\nnot\sreturn\sNULL\son\san\sempty\sstring\snow,\sif\sthe\sempty\sstring\sis\screated\nthrough\sthe\suse\sof\ssqlite3_str_truncate().
-D 2025-11-29T18:32:25.952
+C Additional\sdefenses\sagainst\susing\sthe\s".open"\scommand\sof\sthe\sCLI\sin\s--safe\nmode.
+D 2025-11-29T18:59:58.844
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -736,7 +736,7 @@ F src/random.c 606b00941a1d7dd09c381d3279a058d771f406c5213c9932bbd93d5587be4b9c
 F src/resolve.c 5616fbcf3b833c7c705b24371828215ad0925d0c0073216c4f153348d5753f0a
 F src/rowset.c 8432130e6c344b3401a8874c3cb49fefe6873fec593294de077afea2dce5ec97
 F src/select.c 6a509cddd815d64f6141e539fff633a518a393772a44dffb4490f7fc3f0d83a9
-F src/shell.c.in 139c2fb0a69274c15f1f0f5f3e11eadb197c8104287146f13ff88a9e13f486cc
+F src/shell.c.in c850d2545ba70b4d3b318256b98a65186bceda164c244c02aad5fed58900d164
 F src/sqlite.h.in 78d57fcb8cd0a07572b97fa7cc0cb88416de9faffc2acb315c88fc34b72c34b1
 F src/sqlite3.rc 015537e6ac1eec6c7050e17b616c2ffe6f70fca241835a84a4f0d5937383c479
 F src/sqlite3ext.h 5d5330f5f8461f5ce74960436ddcfa53ecd09c2b8b23901e22ae38aec3243998
@@ -2180,8 +2180,8 @@ F tool/version-info.c 33d0390ef484b3b1cb685d59362be891ea162123cea181cb8e6d2cf6dd
 F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee87c1b31a7
 F tool/warnings.sh d924598cf2f55a4ecbc2aeb055c10bd5f48114793e7ba25f9585435da29e7e98
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 7927dbc5ebc76233325e45bd24181dbc5c3636e271f9352cf530f41dad6ba66d
-R dd82c2957b46379774f8ec9dc63117c1
+P b2e980ede581625e37701f54833e5615d31a1b821ddaf52a26798494f847e640
+R 09713027726d6f0b138f3ce5a8ffc8c2
 U drh
-Z eec0537322c160e0451be2e6174833b8
+Z df22a1cdb36182b2da707b8198586b15
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 057bae91b7..bf61988276 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-b2e980ede581625e37701f54833e5615d31a1b821ddaf52a26798494f847e640
+eec0b80e53bb54ee05a4903cfb967cc2914cdcc735f1218922a0f9c80399c3e8
diff --git a/src/shell.c.in b/src/shell.c.in
index d87136956a..7076a09e7c 100644
--- a/src/shell.c.in
+++ b/src/shell.c.in
@@ -9685,6 +9685,8 @@ static int do_meta_command(const char *zLine, ShellState *p){
     int openMode = SHELL_OPEN_UNSPEC;
     int openFlags = SQLITE_OPEN_READWRITE|SQLITE_OPEN_CREATE;
 
+    if( p->bSafeMode ) openFlags = SQLITE_OPEN_READONLY;
+
     /* Check for command-line arguments */
     for(iName=1; iName<nArg; iName++){
       const char *z = azArg[iName];
@@ -9692,10 +9694,10 @@ static int do_meta_command(const char *zLine, ShellState *p){
       if( optionMatch(z,"new") ){
         newFlag = 1;
 #ifdef SQLITE_HAVE_ZLIB
-      }else if( optionMatch(z, "zip") ){
+      }else if( optionMatch(z, "zip") && !p->bSafeMode ){
         openMode = SHELL_OPEN_ZIPFILE;
 #endif
-      }else if( optionMatch(z, "append") ){
+      }else if( optionMatch(z, "append") && !p->bSafeMode ){
         openMode = SHELL_OPEN_APPENDVFS;
       }else if( optionMatch(z, "readonly") ){
         openFlags &= ~(SQLITE_OPEN_READWRITE|SQLITE_OPEN_CREATE);
-- 
2.47.3