MySQL general security guidelines. Part 4.
Security Issues with LOAD DATA LOCAL
The LOAD DATA statement can load a file located on the server host, or a file located on the client host when the LOCAL keyword is specified.
There are two security issues when using the LOCAL version of LOAD DATA:
-
The MySQL server initiates the transfer of the file from the client host to the server host. It is therefore possible for the server to access any file on the client host to which the client user has read access.
-
In a Web environment, a user could use LOAD DATA LOCAL to read any files that the Web server process has read access to.
These problems have been address in the later versions of MySQL (versions 3.23.49 and 4.0.2):
-
All MySQL clients and libraries in binary distributions are compiled, by default, with the –enable-local-infile option, to be compatible with MySQL 3.23.48 and before.
-
If you build MySQL from source, you must invoke configure with the –enable-local-infile option, or else LOAD DATA LOCAL cannot be used by any client unless it is written explicitly to invoke mysql options(?MYSQL OPT LOCAL INFILE, 0),
-
Disable all LOAD DATA LOCAL commands from the server side by starting mysqld with the –local-infile=0 option.
-
With the mysql command-line client, LOAD DATA LOCAL can be enabled by specifying the –local-infile[=1] option and disabled with the –local-infile=0 option. For mysqlimport, the –local or -L option enables local data file loading.
-
If you use LOAD DATA LOCAL in programs that read the [client] group from option files, you can add the local-infile=1 option to that group. But use the loose- prefix to keep this from causing problems for programs that do not understand local-infile. If LOAD DATA LOCAL INFILE is disabled then a client that issues such a statement receives an error message.
Want to be notified when new posts are published?
