From ea4574b386a6296b51ee30a10ddefe21a96967bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com>
Date: Mon, 28 Jul 2025 13:57:44 +0200
Subject: [PATCH] pdo: Deprecate the `uri:` DSN scheme

RFC: https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_pdo_s_urischeme
---
 ext/pdo/pdo_dbh.c                             |  5 ++
 .../tests/pdo_mysql___construct_uri.phpt      |  5 +-
 .../tests/pdo_sqlite___construct_uri.phpt     | 48 +++++++++++++++++++
 3 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 ext/pdo_sqlite/tests/pdo_sqlite___construct_uri.phpt

diff --git a/ext/pdo/pdo_dbh.c b/ext/pdo/pdo_dbh.c
index 9588f23d420c5..af8149322f2e7 100644
--- a/ext/pdo/pdo_dbh.c
+++ b/ext/pdo/pdo_dbh.c
@@ -347,6 +347,11 @@ PDO_API void php_pdo_internal_construct_driver(INTERNAL_FUNCTION_PARAMETERS, zen
 	}
 
 	if (!strncmp(data_source, "uri:", sizeof("uri:")-1)) {
+		zend_error(E_DEPRECATED, "Looking up the DSN from a URI is deprecated due to possible security concerns with DSNs coming from remote URIs");
+		if (EG(exception)) {
+			RETURN_THROWS();
+		}
+
 		/* the specified URI holds connection details */
 		data_source = dsn_from_uri(data_source + sizeof("uri:")-1, alt_dsn, sizeof(alt_dsn));
 		if (!data_source) {
diff --git a/ext/pdo_mysql/tests/pdo_mysql___construct_uri.phpt b/ext/pdo_mysql/tests/pdo_mysql___construct_uri.phpt
index ec6bce78b7c41..d86f9b3d8773d 100644
--- a/ext/pdo_mysql/tests/pdo_mysql___construct_uri.phpt
+++ b/ext/pdo_mysql/tests/pdo_mysql___construct_uri.phpt
@@ -63,5 +63,8 @@ MySQLPDOTest::skip();
 
     print "done!";
 ?>
---EXPECT--
+--EXPECTF--
+Deprecated: Looking up the DSN from a URI is deprecated due to possible security concerns with DSNs coming from remote URIs in %s on line %d
+
+Deprecated: Looking up the DSN from a URI is deprecated due to possible security concerns with DSNs coming from remote URIs in %s on line %d
 done!
diff --git a/ext/pdo_sqlite/tests/pdo_sqlite___construct_uri.phpt b/ext/pdo_sqlite/tests/pdo_sqlite___construct_uri.phpt
new file mode 100644
index 0000000000000..7fc686b214723
--- /dev/null
+++ b/ext/pdo_sqlite/tests/pdo_sqlite___construct_uri.phpt
@@ -0,0 +1,48 @@
+--TEST--
+PDO_sqlite: PDO->__construct() - URI
+--EXTENSIONS--
+pdo_sqlite
+--FILE--
+<?php
+$dsnFile = __DIR__ . DIRECTORY_SEPARATOR . "pdo_sqlite___construct_uri.dsn";
+$dbFile = __DIR__ . DIRECTORY_SEPARATOR . "pdo_sqlite___construct_uri.db";
+file_put_contents($dsnFile, "sqlite:{$dbFile}");
+
+clearstatcache();
+var_dump(file_exists($dbFile));
+new PDO("uri:{$dsnFile}");
+
+clearstatcache();
+var_dump(file_exists($dbFile));
+unlink($dbFile);
+
+set_error_handler(function (int $errno, string $errstr, string $errfile, int $errline) {
+    throw new \ErrorException($errstr, 0, $errno, $errfile, $errline);
+});
+
+clearstatcache();
+var_dump(file_exists($dbFile));
+
+try {
+    new PDO("uri:{$dsnFile}");
+} catch (Throwable $e) {
+    echo $e::class, ": ", $e->getMessage(), PHP_EOL;
+}
+
+clearstatcache();
+var_dump(file_exists($dbFile));
+
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . "pdo_sqlite___construct_uri.dsn");
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . "pdo_sqlite___construct_uri.db");
+?>
+--EXPECTF--
+bool(false)
+
+Deprecated: Looking up the DSN from a URI is deprecated due to possible security concerns with DSNs coming from remote URIs in %s on line %d
+bool(true)
+bool(false)
+ErrorException: Looking up the DSN from a URI is deprecated due to possible security concerns with DSNs coming from remote URIs
+bool(false)