[php-maint] Bug#562782: Bug#562782: Bug#562782: php5-mysql: load data local bypasses basedir due to the way libmysqlclient15off is compiled
Michal S.
wejn at box.cz
Mon Jan 18 12:57:35 UTC 2010
Ondrej,
> Have you read [snip]
> ?
>
> Quoting:
> You can disable all LOAD DATA LOCAL commands from the server side by
> starting mysqld with the --local-infile=0 option.
>
> Hence this is not a bug, but a feature, so I am closing this bug.
I respectfully disagree.
Turning off LOAD DATA LOCAL (henceforth LDL) support on your mysql
server is akin to protecting your car by taking out your battery
and leaving the keys inside.
The only thing preventing potential attacker from reading local
filesystem is somehow disabled support for LDL in the *client*
library, because he can connect to 3rd party mysql server that
has LDL support enabled.
And while I understand you don't consider open_basedir bugs
critical, I also understand there's no other out-of-the-box
setup for PHP in Debian that would be (reasonably) secure.
(please correct me if I'm wrong here)
Regards,
M.S.
--
Michal S. <wejn(at)box.cz>
"Being defeated is often temporary condition. By giving up
we make it permanent". (Anonymous)
More information about the pkg-php-maint
mailing list