From: unknown at masterhost dot ru Operating system: any PHP version: 4.3.7 PHP Bug Type: MySQL related Bug description: LOAD DATA LOCAL security hole problem is stil not solved
Description: ------------ The file accesses with 'LOAD DATA LOCAL INFILE' are made by mysql client library, so you can access any file which webserver process can access to, IGNORING open_basedir option! This problem has been reported about year ago (Bug #23779 LOAD DATA LOCAL isn't respecting open_basedir), and you tried to resolve it: http://cvs.php.net/diff.php/php-src/ext/mysql/php_mysql.c?r1=1.174.2.13&r2=1.174.2.14&ty=h /* disable local infile option for open_basedir */ if (strlen(PG(open_basedir))) { client_flags ^= CLIENT_LOCAL_FILES; } You have used XOR, so if user specified options '128' as fifth parameter for mysql_connect() with enabled open_basedir restrictions, it should disable LOAD DATA LOCAL. But with '0' options given it enables LOAD DATA LOCAL, so we have it enabled by default! It seems it should be not just a XOR, may be client_flags &= (32767^CLIENT_LOCAL_FILES); or something like this. Reproduce code: --------------- <?php $link = mysql_connect('host', 'user', 'password', false, 0); $db_selected = mysql_select_db('database', $link); $result = mysql_query("LOAD DATA LOCAL INFILE 'datafile.txt' INTO TABLE test"); if (!$result) { die('Invalid query: ' . mysql_error()); } mysql_close($link); ?> Expected result: ---------------- There shoule be an error: Invalid query: The used command is not allowed with this MySQL version But there isn't, query is successful... Actual result: -------------- Data from file is inserted to 'test' table. -- Edit bug report at http://bugs.php.net/?id=28632&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=28632&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=28632&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=28632&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=28632&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=28632&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=28632&r=needscript Try newer version: http://bugs.php.net/fix.php?id=28632&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=28632&r=support Expected behavior: http://bugs.php.net/fix.php?id=28632&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=28632&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=28632&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=28632&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28632&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=28632&r=dst IIS Stability: http://bugs.php.net/fix.php?id=28632&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=28632&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=28632&r=float
