pdo: Deprecate the uri: DSN scheme

TimWolla · TimWolla · commit ea4574b386a6 · 2025-07-28T14:16:43.000+02:00
RFC: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_pdo_s_urischeme
diff --git a/ext/pdo/pdo_dbh.c b/ext/pdo/pdo_dbh.c
@@ -347,6 +347,11 @@ PDO_API void php_pdo_internal_construct_driver(INTERNAL_FUNCTION_PARAMETERS, zen
 	}
 
 	if (!strncmp(data_source, "uri:", sizeof("uri:")-1)) {
+		zend_error(E_DEPRECATED, "Looking up the DSN from a URI is deprecated due to possible security concerns with DSNs coming from remote URIs");
+		if (EG(exception)) {
+			RETURN_THROWS();
+		}
+
 		/* the specified URI holds connection details */
 		data_source = dsn_from_uri(data_source + sizeof("uri:")-1, alt_dsn, sizeof(alt_dsn));
 		if (!data_source) {
diff --git a/ext/pdo_mysql/tests/pdo_mysql___construct_uri.phpt b/ext/pdo_mysql/tests/pdo_mysql___construct_uri.phpt
@@ -63,5 +63,8 @@ MySQLPDOTest::skip();
 
     print "done!";
 ?>
---EXPECT--
+--EXPECTF--
+Deprecated: Looking up the DSN from a URI is deprecated due to possible security concerns with DSNs coming from remote URIs in %s on line %d
+
+Deprecated: Looking up the DSN from a URI is deprecated due to possible security concerns with DSNs coming from remote URIs in %s on line %d
 done!
diff --git a/ext/pdo_sqlite/tests/pdo_sqlite___construct_uri.phpt b/ext/pdo_sqlite/tests/pdo_sqlite___construct_uri.phpt
@@ -0,0 +1,48 @@
+--TEST--
+PDO_sqlite: PDO->__construct() - URI
+--EXTENSIONS--
+pdo_sqlite
+--FILE--
+<?php
+$dsnFile = __DIR__ . DIRECTORY_SEPARATOR . "pdo_sqlite___construct_uri.dsn";
+$dbFile = __DIR__ . DIRECTORY_SEPARATOR . "pdo_sqlite___construct_uri.db";
+file_put_contents($dsnFile, "sqlite:{$dbFile}");
+
+clearstatcache();
+var_dump(file_exists($dbFile));
+new PDO("uri:{$dsnFile}");
+
+clearstatcache();
+var_dump(file_exists($dbFile));
+unlink($dbFile);
+
+set_error_handler(function (int $errno, string $errstr, string $errfile, int $errline) {
+    throw new \ErrorException($errstr, 0, $errno, $errfile, $errline);
+});
+
+clearstatcache();
+var_dump(file_exists($dbFile));
+
+try {
+    new PDO("uri:{$dsnFile}");
+} catch (Throwable $e) {
+    echo $e::class, ": ", $e->getMessage(), PHP_EOL;
+}
+
+clearstatcache();
+var_dump(file_exists($dbFile));
+
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . "pdo_sqlite___construct_uri.dsn");
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . "pdo_sqlite___construct_uri.db");
+?>
+--EXPECTF--
+bool(false)
+
+Deprecated: Looking up the DSN from a URI is deprecated due to possible security concerns with DSNs coming from remote URIs in %s on line %d
+bool(true)
+bool(false)
+ErrorException: Looking up the DSN from a URI is deprecated due to possible security concerns with DSNs coming from remote URIs
+bool(false)
