From: drh <>
Date: Mon, 23 Feb 2026 13:29:29 +0000 (+0000)
Subject: Add test cases for the symlink defenses of the previous check-in.
X-Git-Tag: version-3.52.0~39
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d2e27e5d54db8a0350e4e687988d4e7d54fe0882;p=thirdparty%2Fsqlite.git

Add test cases for the symlink defenses of the previous check-in.

FossilOrigin-Name: 5da9bf09cc00faf98cc515fb5a10a0af325b8f7608893808d031dfef62380be2
---

diff --git a/manifest b/manifest
index d8e909b52f..62bd48113b 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Change\sthe\sSQLAR\sarchive\sextraction\salgorithm\sin\sthe\sCLI\sso\sthat\sit\nuses\sthe\snewly\senhanced\srealpath()\sSQL\sfunction\sto\sguard\sagainst\nattacks\sthat\suse\ssymlinks\sto\stry\sto\swrite\sfiles\soutside\sof\sthe\ndestination\sdirectory.\n[forum:/forumpost/641b09daa17d9086|Forum\spost\s641b09daa17d9086].
-D 2026-02-23T12:19:05.604
+C Add\stest\scases\sfor\sthe\ssymlink\sdefenses\sof\sthe\sprevious\scheck-in.
+D 2026-02-23T13:29:29.514
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -1626,7 +1626,7 @@ F test/shell4.test e25580a792b7b54560c3a76b6968bd8189261f38979fe28e6bc6312c5db28
 F test/shell5.test a9cd2c8b62e125049ef500937674f47dd6787f0157ac0515aa554044a4dc3ea9
 F test/shell6.test e3b883b61d4916b6906678a35f9d19054861123ad91b856461e0a456273bdbb8
 F test/shell7.test 43fd8e511c533bab5232e95c7b4be93b243451709e89582600d4b6e67693d5c3
-F test/shell8.test 641cf21a99c59404c24e3062923734951c4099a6b6b6520de00cf7a1249ee871
+F test/shell8.test fc3b6ca51ffba9b4b658d4c65a07b50338a2b592a276a66b8464be448d0f5e30
 F test/shell9.test 8742a5b390cdcef6369f5aa223e415aa4255a4129ef249b177887dc635a87209
 F test/shellA.test 05cdaafa1f79913654487ce3aefa038d4106245d58f52e02faf506140a76d480
 F test/shellB.test b2afd5c28aba750c066996a082210d6a4fcab8fd042cad076d9c1023164af9b1
@@ -2195,8 +2195,8 @@ F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee
 F tool/warnings.sh d924598cf2f55a4ecbc2aeb055c10bd5f48114793e7ba25f9585435da29e7e98
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
 F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 27a5735fb1e194d763ab9fdb933fad4f694fb2f8ad19205d17ac81caebd82548
-R 5f3ef586ef29ee2dd47a3c1f07f1d05a
+P 7cced53e8c508fbf1816162c5358c77a712f76a38fd18f07171efc3c028a3c57
+R 759eaf7b561ab385ab020df9b6f9eba9
 U drh
-Z 1ae541096a3f2b3c5c84a58179012397
+Z 1cdbe80a45cdf36eafc051b6689caa6d
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 2c985e691c..b5fdeb09b2 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-7cced53e8c508fbf1816162c5358c77a712f76a38fd18f07171efc3c028a3c57
+5da9bf09cc00faf98cc515fb5a10a0af325b8f7608893808d031dfef62380be2
diff --git a/test/shell8.test b/test/shell8.test
index e555396365..2e0581bafb 100644
--- a/test/shell8.test
+++ b/test/shell8.test
@@ -217,6 +217,46 @@ if {$tcl_platform(platform)=="unix"} {
   do_test 3.3 {
     catchcmd shell8.db {.ar -x} 
   } {0 {}}
+
+  # Test defenses against using symlinks to write outside
+  # of the destination directory.  See forum thread at
+  # sqlite.org/forum/forumpost/2026-02-21T11:04:36z
+  #
+  forcedelete shell8.db
+  forcedelete ar1
+  forcedelete ar2
+  forcedelete ar3
+  file mkdir ar2
+  file mkdir ar3
+  set pwd [pwd]
+  sqlite3 db shell8.db
+  db eval {
+    CREATE TABLE sqlar(
+      name TEXT PRIMARY KEY,  -- name of the file
+      mode INT,               -- access permissions
+      mtime INT,              -- last modification time
+      sz INT,                 -- original file size
+      data BLOB               -- compressed content
+    );
+    INSERT INTO sqlar VALUES
+         ('abc',33188,0,-1,'content for abc'),
+         ('escape',40960,0,-1,$pwd||'/ar3'),
+         ('escape/def',33188,0,-1,'content for escape/def'),
+         ('ghi',33188,0,-1,'content for ghi');
+  }
+  do_test 3.4.1 {
+    catchcmd shell8.db {.ar -x --directory ar2}
+    lsort [glob -tails -directory ar2 *]
+  } {abc escape ghi}
+  do_test 3.4.2 {
+    lsort [glob -tails -directory ar3 *]
+  } {}
+  # ^^---  An extraction into ar2 should not leak any files into ar3
+
+  forcedelete shell8.db
+  forcedelete ar2
+  forcedelete ar3
+
 }
 
 finish_test