[php-maint] Bug#562782: php5-mysql: load data local bypasses basedir due to the way libmysqlclient15off is compiled

The Mighty System Admin wejn at box.cz
Sun Dec 27 21:12:15 UTC 2009

Package: php5-mysql
Version: 5.2.6.dfsg.1-1+lenny3
Severity: normal

mysql extension for php5 package bypasses open_basedir restrictions
due to the way libmysqlclient package is compiled.

Forcing the "--enable-local-infile" flag during compilation of
libmysqlclient package causes the built-in protection in php5's
mysql extension to malfunction allowing anyone to read files outside

>From the limited research I did, there's no way to make this
protection work properly unless the aforementioned compile flag
is turned off.

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=cs_CZ (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash

More information about the pkg-php-maint mailing list