From 2eaabf06fc5a62104ecb597830b2852d71b0a111 Mon Sep 17 00:00:00 2001 From: Darek Slusarczyk Date: Mon, 11 Feb 2019 17:16:49 +0100 Subject: security fix - by default 'local infile' is disabled: - set default for mysqli.allow_local_infile=0 - explicitly disable PDO::MYSQL_ATTR_LOCAL_INFILE in case of lack of driver options - add getAttribute support for PDO::MYSQL_ATTR_LOCAL_INFILE - update existing tests where needed - add new tests [checking default value and setting on] the 'local infile' in ext/mysqli and ext/pdo_mysql --- ext/pdo_mysql/mysql_driver.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'ext/pdo_mysql/mysql_driver.c') diff --git a/ext/pdo_mysql/mysql_driver.c b/ext/pdo_mysql/mysql_driver.c index 85b35b5b70..101510e385 100644 --- a/ext/pdo_mysql/mysql_driver.c +++ b/ext/pdo_mysql/mysql_driver.c @@ -467,6 +467,12 @@ static int pdo_mysql_get_attribute(pdo_dbh_t *dbh, zend_long attr, zval *return_ case PDO_MYSQL_ATTR_MAX_BUFFER_SIZE: ZVAL_LONG(return_value, H->max_buffer_size); break; +#else + case PDO_MYSQL_ATTR_LOCAL_INFILE: + ZVAL_BOOL( + return_value, + (H->server->data->options->flags & CLIENT_LOCAL_FILES) == CLIENT_LOCAL_FILES); + break; #endif default: @@ -746,6 +752,15 @@ static int pdo_mysql_handle_factory(pdo_dbh_t *dbh, zval *driver_options) CLIENT_SSL_DONT_VERIFY_SERVER_CERT; } } +#endif + } else { +#if defined(MYSQL_OPT_LOCAL_INFILE) || defined(PDO_USE_MYSQLND) + // in case there are no driver options disable 'local infile' explicitly + zend_long local_infile = 0; + if (mysql_options(H->server, MYSQL_OPT_LOCAL_INFILE, (const char *)&local_infile)) { + pdo_mysql_error(dbh); + goto cleanup; + } #endif } -- cgit v1.2.1