security fix - by default 'local infile' is disabled:

- set default for mysqli.allow_local_infile=0 - explicitly disable PDO::MYSQL_ATTR_LOCAL_INFILE in case of lack of driver options - add getAttribute support for PDO::MYSQL_ATTR_LOCAL_INFILE - update existing tests where needed - add new tests [checking default value and setting on] the 'local infile' in ext/mysqli and ext/pdo_mysql
author: Darek Slusarczyk <dariusz.slusarczyk@oracle.com> 2019-02-11 17:16:49 +0100
committer: Darek Slusarczyk <dariusz.slusarczyk@oracle.com> 2019-02-11 18:04:51 +0100
commit: 2eaabf06fc5a62104ecb597830b2852d71b0a111 (patch)
tree: 678c001e7bac00445f7b1ddd25adc326a7cc1db0 /ext/mysqlnd/mysqlnd_connection.c
parent: 65d81833bbd1de8c38abc591525ebce56bdbd95c (diff)
download: php-git-2eaabf06fc5a62104ecb597830b2852d71b0a111.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/ext/mysqlnd/mysqlnd_connection.c b/ext/mysqlnd/mysqlnd_connection.c
index 654673f500..ee63e07efa 100644
--- a/ext/mysqlnd/mysqlnd_connection.c
+++ b/ext/mysqlnd/mysqlnd_connection.c
@@ -489,7 +489,8 @@ MYSQLND_METHOD(mysqlnd_conn_data, get_updated_connect_flags)(MYSQLND_CONN_DATA *
 	MYSQLND_VIO * vio = conn->vio;
 
 	DBG_ENTER("mysqlnd_conn_data::get_updated_connect_flags");
-	/* we allow load data local infile by default */
+	/* allow CLIENT_LOCAL_FILES capability, although extensions basing on mysqlnd
+		shouldn't allow 'load data local infile' by default due to security issues */
 	mysql_flags |= MYSQLND_CAPABILITIES;
 
 	mysql_flags |= conn->options->flags; /* use the flags from set_client_option() */
author	Darek Slusarczyk <dariusz.slusarczyk@oracle.com>	2019-02-11 17:16:49 +0100
committer	Darek Slusarczyk <dariusz.slusarczyk@oracle.com>	2019-02-11 18:04:51 +0100
commit	2eaabf06fc5a62104ecb597830b2852d71b0a111 (patch)
tree	678c001e7bac00445f7b1ddd25adc326a7cc1db0 /ext/mysqlnd/mysqlnd_connection.c
parent	65d81833bbd1de8c38abc591525ebce56bdbd95c (diff)
download	php-git-2eaabf06fc5a62104ecb597830b2852d71b0a111.tar.gz