php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68226 FULLY UNABLE TO USE LOAD DATA LOCAL Startement IN Web Production Enviroments
Submitted: 2014-10-14 10:57 UTC Modified: 2020-06-04 08:54 UTC
Votes:22
Avg. Score:4.5 ± 0.8
Reproduced:20 of 20 (100.0%)
Same Version:8 (40.0%)
Same OS:8 (40.0%)
From: georgy dot garnov at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: PDO MySQL
PHP Version: 5.6.1 OS: ALL
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: georgy dot garnov at gmail dot com
New email:
PHP Version: OS:

 

 [2014-10-14 10:57 UTC] georgy dot garnov at gmail dot com
Description:
------------
If you set open_basedir in your php.ini or use php as fcgi you will always got "The used command is not allowed with this MySQL version" error.
You can use new PDO($dsn,$login,$password, array(PDO::MYSQL_ATTR_LOCAL_INFILE => true)) but you will have no effect.
So you are fully unable to use LOAD DATA LOCAL INFILE.
That's because of \ext\pdo_mysql\mysql_driver.c
LINES 626 to 633
#if PHP_API_VERSION < 20100412
		if ((PG(open_basedir) && PG(open_basedir)[0] != '\0') || PG(safe_mode))
#else
		if (PG(open_basedir) && PG(open_basedir)[0] != '\0') 
#endif
		{
			local_infile = 0;
		}
as you can see, you will always fail in production enviroments
no check if loaded file inside base dir just fail.
That's bad!!


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-14 15:20 UTC] johannes@php.net
-Assigned To: +Assigned To: mysql
 [2014-10-14 15:20 UTC] johannes@php.net
With libmysql we can't check the path. As soon as the feature is enabled the server can request any file it likes (Client sends SQL to server, the server parses it and requests the file, the client doesn't know SQL) therefore on PHP versions using libmysql we can't check the path.

With mysqlnd this is different, there we can check the path. Andrey do you have any thoughts on this? Any issues if we make this check less strict?

Security-wise "interesting" might be if a malicious server requests php://input or such.
 [2015-02-03 20:14 UTC] phpbugs2012 at joern dot heissler dot de
See also related https://bugs.php.net/bug.php?id=62889
 [2017-10-24 08:12 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: mysql +Assigned To:
 [2020-06-04 08:54 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2020-06-04 08:54 UTC] cmb@php.net
Closing this ticket as duplicate of bug #68077.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 23:01:26 2024 UTC