-
Notifications
You must be signed in to change notification settings - Fork 7.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
security fix - by default 'local infile' is disabled:
- set default for mysqli.allow_local_infile=0 - explicitly disable PDO::MYSQL_ATTR_LOCAL_INFILE in case of lack of driver options - add getAttribute support for PDO::MYSQL_ATTR_LOCAL_INFILE - update existing tests where needed - add new tests [checking default value and setting on] the 'local infile' in ext/mysqli and ext/pdo_mysql
- Loading branch information
1 parent
65d8183
commit 2eaabf0
Showing
18 changed files
with
148 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
--TEST-- | ||
ensure default for local infile is off | ||
--SKIPIF-- | ||
<?php | ||
require_once('skipif.inc'); | ||
require_once('skipifconnectfailure.inc'); | ||
?> | ||
--FILE-- | ||
<?php | ||
require_once("connect.inc"); | ||
|
||
$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket); | ||
$res = mysqli_query($link, 'SHOW VARIABLES LIKE "local_infile"'); | ||
$row = mysqli_fetch_assoc($res); | ||
echo "server: ", $row['Value'], "\n"; | ||
mysqli_free_result($res); | ||
mysqli_close($link); | ||
|
||
echo "connector: ", ini_get("mysqli.allow_local_infile"), "\n"; | ||
|
||
print "done!\n"; | ||
?> | ||
--EXPECTF-- | ||
server: %s | ||
connector: 0 | ||
done! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
--TEST-- | ||
enable local infile | ||
--SKIPIF-- | ||
<?php | ||
require_once('skipif.inc'); | ||
require_once('skipifconnectfailure.inc'); | ||
?> | ||
--INI-- | ||
mysqli.allow_local_infile=1 | ||
--FILE-- | ||
<?php | ||
require_once("connect.inc"); | ||
|
||
$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket); | ||
$res = mysqli_query($link, 'SHOW VARIABLES LIKE "local_infile"'); | ||
$row = mysqli_fetch_assoc($res); | ||
echo "server: ", $row['Value'], "\n"; | ||
mysqli_free_result($res); | ||
mysqli_close($link); | ||
|
||
echo "connector: ", ini_get("mysqli.allow_local_infile"), "\n"; | ||
|
||
print "done!\n"; | ||
?> | ||
--EXPECTF-- | ||
server: %s | ||
connector: 1 | ||
done! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
ext/pdo_mysql/tests/pdo_mysql_local_infile_default_off.phpt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
--TEST-- | ||
ensure default for local infile is off | ||
--SKIPIF-- | ||
<?php | ||
require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'skipif.inc'); | ||
require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'mysql_pdo_test.inc'); | ||
MySQLPDOTest::skip(); | ||
if (!MYSQLPDOTest::isPDOMySQLnd()) | ||
die("skip mysqlnd only test"); | ||
?> | ||
--FILE-- | ||
<?php | ||
require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'config.inc'); | ||
require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'mysql_pdo_test.inc'); | ||
|
||
$dsn = MySQLPDOTest::getDSN(); | ||
$user = PDO_MYSQL_TEST_USER; | ||
$pass = PDO_MYSQL_TEST_PASS; | ||
|
||
$db = new PDO($dsn, $user, $pass); | ||
echo var_export($db->getAttribute(PDO::MYSQL_ATTR_LOCAL_INFILE)), "\n"; | ||
echo "done!\n"; | ||
?> | ||
--EXPECTF-- | ||
false | ||
done! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
--TEST-- | ||
enable local infile | ||
--SKIPIF-- | ||
<?php | ||
require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'skipif.inc'); | ||
require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'mysql_pdo_test.inc'); | ||
MySQLPDOTest::skip(); | ||
if (!MYSQLPDOTest::isPDOMySQLnd()) | ||
die("skip mysqlnd only test"); | ||
?> | ||
--FILE-- | ||
<?php | ||
require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'config.inc'); | ||
require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'mysql_pdo_test.inc'); | ||
|
||
$dsn = MySQLPDOTest::getDSN(); | ||
$user = PDO_MYSQL_TEST_USER; | ||
$pass = PDO_MYSQL_TEST_PASS; | ||
|
||
$db = new PDO($dsn, $user, $pass, array(PDO::MYSQL_ATTR_LOCAL_INFILE => true)); | ||
echo var_export($db->getAttribute(PDO::MYSQL_ATTR_LOCAL_INFILE)), "\n"; | ||
echo "done!\n"; | ||
?> | ||
--EXPECTF-- | ||
true | ||
done! |