Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Crude "auto-load-data-local-infile" mode
Disable LOAD DATA LOCAL INFILE suport by default and auto-enable it for the duration of one query, if the query string starts with the word "load". In all other cases the application should enable LOAD DATA LOCAL INFILE support explicitly.
- Loading branch information
Showing
9 changed files
with
90 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2175bfc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this still allow a malicious server to request the wrong (or simply, an additional) file in response to a "load" query?
2175bfc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct, it does allow to request a wrong file. This is not a bullet-proof solution, but a compromise between doing nothing and disabling
CLIENT_LOCAL_FILES
by default (and breaking many thousands of installations that use it). This fix is almost like disabling by default while not breaking almost any existing application. At least it didn't break any ourLOAD DATA LOCAL
tests.A bullet-proof solution would mean an SQL parser in the client library. It needs to parse comments correctly (e.g.
/*foo*/load/*bar*/data
and even/*!50607 load data*/
), it needs to handle all possible string escapings and encodings to be able to extract the file name correctly. So we consider it an overkill, a performance price that users should not pay, taking into account that almost all statements are notLOAD DATA LOCAL
.Security-conscious applications can still disable
CLIENT_LOCAL_FILES
as before. And if an application sends queries that start from a comment (like/*foo*/load
) it can fully enableCLIENT_LOCAL_FILES
as before.By the way, no, a malicious server cannot request an additional file. After this fix a client library will accept only one file request, and only directly after "load..." query.
2175bfc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, thank you for the detailed response.