From 51e609c4619e366856941e47fb22e3d2f7b8349f Mon Sep 17 00:00:00 2001
From: Jakub Vrana <jakub@vrana.cz>
Date: Sun, 17 Oct 2010 08:22:36 +0200
Subject: [PATCH] Disable creating SQLite databases with extension other than
 db, sdb, sqlite

---
 adminer/drivers/sqlite.inc.php | 19 ++++++++++++++++++-
 changes.txt                    |  1 +
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/adminer/drivers/sqlite.inc.php b/adminer/drivers/sqlite.inc.php
index 89ce2f15..5418ac6c 100644
--- a/adminer/drivers/sqlite.inc.php
+++ b/adminer/drivers/sqlite.inc.php
@@ -344,13 +344,27 @@ if (isset($_GET["sqlite"]) || isset($_GET["sqlite2"])) {
 	function exact_value($val) {
 		return q($val);
 	}
-
+	
+	function check_sqlite_name($name) {
+		// avoid creating PHP files on unsecured servers
+		global $connection;
+		$extensions = "db|sdb|sqlite";
+		if (!preg_match("~^[^\\0]*\\.($extensions)\$~", $name)) {
+			$connection->error = lang('Please use one of the extensions %s.', str_replace("|", ", ", $extensions));
+			return false;
+		}
+		return true;
+	}
+	
 	function create_database($db, $collation) {
 		global $connection;
 		if (file_exists($db)) {
 			$connection->error = lang('File exists.');
 			return false;
 		}
+		if (!check_sqlite_name($db)) {
+			return false;
+		}
 		$link = new Min_SQLite($db); //! exception handler
 		$link->query('PRAGMA encoding = "UTF-8"');
 		$link->query('CREATE TABLE adminer (i)'); // otherwise creates empty file
@@ -372,6 +386,9 @@ if (isset($_GET["sqlite"]) || isset($_GET["sqlite2"])) {
 	
 	function rename_database($name, $collation) {
 		global $connection;
+		if (!check_sqlite_name($name)) {
+			return false;
+		}
 		$connection->Min_SQLite(":memory:");
 		$connection->error = lang('File exists.');
 		return @rename(DB, $name);
diff --git a/changes.txt b/changes.txt
index 716b9d2e..094eda14 100644
--- a/changes.txt
+++ b/changes.txt
@@ -1,5 +1,6 @@
 Adminer 3.0.1-dev:
 Send the form by Ctrl+Enter in all textareas
+Disable creating SQLite databases with extension other than db, sdb, sqlite
 Catalan translation
 
 Adminer 3.0.0 (released 2010-10-15):