|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #80329 Add option to specify LOAD DATA LOCAL white list folder (including libmysql)
Submitted: 2020-11-06 16:30 UTC Modified: 2021-01-24 20:17 UTC
From: Assigned: marines (profile)
Status: Closed Package: mysql (PECL)
PHP Version: 7.4.12 OS: any
Private report: No CVE-ID: None
 [2020-11-06 16:30 UTC]
In previous versions we disabled LOAD DATA LOCAL by default. A user needs to give an option to enable this functionality. This worklog seeks to improve the security of this option further by allowing a user to specify a folder that is safe to upload files from.

Functional requirements:
FR1: MySQL connectors will provide an option that allows the user to specify a folder where files that can be sent via LOAD DATA LOCAL can exist.

FR2: The following grid shows the usage scenarios and are are attempting to match the behavior of libmysqlclient here.

enableLoadLocal | allowLoadLocalInfileInPath  | result
true            | empty string or null        | all uploads allowed
true            | set to path                 | all uploads allowed -- path not respected
false           | empty string or null        | no uploads allowed
false           | set to path                 | uploads from that subtree only allowed

FR3: The connector shall allow files to come from a "proper" subfolder of the restricted folder. however, symlinks or navigational symbols must not be used in either element. For example, if I set /tmp as my restricted folder, then file requests for /tmp/myfile and /tmp/myfolder/myfile should succeed. However requests for /tmp/../somefolder/myfile must not succeed.

implementation details:

0) There will be added following options, accordingly:
a) mysqli
to be consistent with existing option 'mysqli.allow_local_infile'.

b) pdo_mysql
to be consistent with existing option 'PDO::MYSQL_ATTR_LOCAL_INFILE'.

Type of the new option is 'string'.

1) libmysql for mysqli / pdo_mysql
...will be supported as well regarding new option (by passing the related flag to lib)

usage e.g.:
it has to find headers, not only the lib

accordingly for pdo_mysql

in code such parts can be found around #ifdefs like:
#if !defined(MYSQLI_USE_MYSQLND)

2) open_basedir
...will be always respected (as currently), no matter what the values of local infile options are.
The new option 'local infile directory' may make access just more restricted.

related link:

3) resolving paths
We will use an existing function to resolve allowed paths, e.g.

4) info regarding libmysql
The support for libmysql seems to be heavily neglected. It doesn't build with mysql8 at all. Many changes will be needed to make it buildable, still keeping support for so far supported 5.x versions.


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-06 16:30 UTC]
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: marines
 [2021-01-24 20:17 UTC]
pull request
 [2021-02-23 08:33 UTC]
Automatic comment on behalf of
Log: Fix #80329: Add option to specify LOAD DATA LOCAL white list folder
 [2021-02-23 08:33 UTC]
-Status: Analyzed +Status: Closed
 [2022-05-26 10:33 UTC] reshmaroy876 at gmail dot com
The following pull request has been associated:

Patch Name: Fix 8.0 compatibility
On GitHub:
 [2022-05-26 10:34 UTC] reshmaroy876 at gmail dot com
The following pull request has been associated:

Patch Name: [WIP] Add RFC skeleton for interfaces
On GitHub:
 [2022-06-17 10:55 UTC] anamikaworld666 at gmail dot com
A particularly tangling page I saw this kind of weblog. I like your work. I like your opportunity out additionally.  Thankful for sharing.
 [2022-06-22 06:22 UTC] mumbaicitygirlss at gmail dot com
Great Website For The Best Fun
 [2023-06-08 08:32 UTC] hiralsharma80 at gmail dot com
Thanks searing your information, i really like:
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Feb 24 10:01:27 2024 UTC