Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support AllowLoadLocalInfile option #643

Closed
bgrainger opened this issue May 23, 2019 · 2 comments
Closed

Support AllowLoadLocalInfile option #643

bgrainger opened this issue May 23, 2019 · 2 comments
Assignees

Comments

@bgrainger
Copy link
Member

@bgrainger bgrainger commented May 23, 2019

Connector/NET 8.0.16 added the AllowLoadLocalInfile connection string option:

Default: false
Disables (by default) or enables the server functionality to load the data local infile.

This clears (sets) the ProtocolCapabilities.LocalFiles bit in the initial handshake. It should also cause the client to reject any request (from the server) to load a local file.

This is a security precaution.

MySqlConnector already has a mitigation for this vulnerability: #334. However, it may still be best to follow the latest MySQL security guidance and offer defense in depth by adding this connection string option.

@bgrainger
Copy link
Member Author

@bgrainger bgrainger commented May 23, 2019

The documentation should be updated for this and #610 at the same time.

@bgrainger bgrainger self-assigned this May 24, 2019
@bgrainger
Copy link
Member Author

@bgrainger bgrainger commented Aug 29, 2019

Fixed in 0.55.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

1 participant