add DisallowSqliteAttach feature

extensions/.gitignore

@@ -0,0 +1,3 @@
+*.h
+*.zip
+sqlite-amalgamation-3470200/

extensions/Makefile

@@ -0,0 +1,34 @@
+.PHONY: all headers
+
+ifeq ($(OS),Windows_NT)
+	OUTPUT = lib/noattach.dll
+	CCFLAGS = -shared
+else
+	UNAME := $(shell uname)
+	CCFLAGS = -fPIC -Os -shared
+	ifeq ($(UNAME),Darwin)
+		ifeq ($(shell uname -m),arm64)
+			OUTPUT = lib/arm/noattach.dylib
+		else
+			OUTPUT = lib/noattach.dylib
+		endif
+	else
+		ifeq ($(shell uname -m),aarch64)
+			OUTPUT = lib/arm/noattach.so
+		else
+			OUTPUT = lib/noattach.so
+		endif
+	endif
+endif
+
+all: $(OUTPUT)
+
+headers:
+	# To simplify compilation across platforms, we include sqlite3ext.h in this directory.
+	curl -L https://www.sqlite.org/2024/sqlite-amalgamation-3470200.zip -o sqlite-src.zip
+	unzip sqlite-src.zip
+	cp sqlite-amalgamation-3470200/*.h .
+
+$(OUTPUT): noattach.c
+	# We don't link against libsqlite3 since PHP statically links its own libsqlite3.
+	$(CC) $(CCFLAGS) -o $@ $<

extensions/noattach.c

@@ -0,0 +1,22 @@
+#include "sqlite3ext.h"
+SQLITE_EXTENSION_INIT1
+
+static int deny_attach_authorizer(void *user_data, int action_code, const char *param1, const char *param2, const char *dbname, const char *trigger) {
+    return action_code == SQLITE_ATTACH // 24
+        ? SQLITE_DENY // 1
+        : SQLITE_OK; // 0
+}
+
+#ifdef _WIN32
+__declspec(dllexport)
+#endif
+int sqlite3_noattach_init(sqlite3 *db, char **pzErrMsg, const sqlite3_api_routines *pApi) {
+    SQLITE_EXTENSION_INIT2(pApi);
+
+    int rc = sqlite3_set_authorizer(db, deny_attach_authorizer, 0);
+    if (rc != SQLITE_OK) {
+        *pzErrMsg = sqlite3_mprintf("Tenancy: Failed to set authorizer");
+    }
+
+    return rc;
+}