From 2eaabf06fc5a62104ecb597830b2852d71b0a111 Mon Sep 17 00:00:00 2001
From: Darek Slusarczyk <dariusz.slusarczyk@oracle.com>
Date: Mon, 11 Feb 2019 17:16:49 +0100
Subject: security fix - by default 'local infile' is disabled: - set default
 for mysqli.allow_local_infile=0 - explicitly disable
 PDO::MYSQL_ATTR_LOCAL_INFILE in case of lack of driver options - add
 getAttribute support for PDO::MYSQL_ATTR_LOCAL_INFILE - update existing tests
 where needed - add new tests [checking default value and setting on] the
 'local infile' in ext/mysqli and ext/pdo_mysql

---
 ext/mysqlnd/mysqlnd_connection.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'ext/mysqlnd/mysqlnd_connection.c')

diff --git a/ext/mysqlnd/mysqlnd_connection.c b/ext/mysqlnd/mysqlnd_connection.c
index 654673f500..ee63e07efa 100644
--- a/ext/mysqlnd/mysqlnd_connection.c
+++ b/ext/mysqlnd/mysqlnd_connection.c
@@ -489,7 +489,8 @@ MYSQLND_METHOD(mysqlnd_conn_data, get_updated_connect_flags)(MYSQLND_CONN_DATA *
 	MYSQLND_VIO * vio = conn->vio;
 
 	DBG_ENTER("mysqlnd_conn_data::get_updated_connect_flags");
-	/* we allow load data local infile by default */
+	/* allow CLIENT_LOCAL_FILES capability, although extensions basing on mysqlnd
+		shouldn't allow 'load data local infile' by default due to security issues */
 	mysql_flags |= MYSQLND_CAPABILITIES;
 
 	mysql_flags |= conn->options->flags; /* use the flags from set_client_option() */
-- 
cgit v1.2.1