[php-maint] Bug#562782: Bug#562782: Bug#562782: php5-mysql: load data local bypasses basedir due to the way libmysqlclient15off is compiled

Ondřej Surý ondrej at debian.org
Mon Jan 18 10:45:11 UTC 2010 

close 562782
notfound php5/5.2.6.dfsg.1-1+lenny3
thank you

Have you read http://dev.mysql.com/doc/mysql-security-excerpt/5.1/en/load-data-local.html
?

Quoting:
You can disable all LOAD DATA LOCAL commands from the server side by
starting mysqld with the --local-infile=0 option.

Hence this is not a bug, but a feature, so I am closing this bug.

Ondrej

2010/1/6 Ondřej Surý <ondrej at debian.org>:
> Hi anonymous admin,
>
> we do not consider open_basedir bugs as critical, so this will
> probably not be fixed in stable.  Are you able to test if this also
> applies to version in unstable (in chroot, or kvm)?
>
> Ondrej
>
> On Sun, Dec 27, 2009 at 22:12, The Mighty System Admin <wejn at box.cz> wrote:
>> Package: php5-mysql
>> Version: 5.2.6.dfsg.1-1+lenny3
>> Severity: normal
>>
>> mysql extension for php5 package bypasses open_basedir restrictions
>> due to the way libmysqlclient package is compiled.
>>
>> Forcing the "--enable-local-infile" flag during compilation of
>> libmysqlclient package causes the built-in protection in php5's
>> mysql extension to malfunction allowing anyone to read files outside
>> open_basedir.
>>
>> >From the limited research I did, there's no way to make this
>> protection work properly unless the aforementioned compile flag
>> is turned off.
>>
>> -- System Information:
>> Debian Release: 5.0.3
>>  APT prefers stable
>>  APT policy: (500, 'stable')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
>> Locale: LANG=en_US, LC_CTYPE=cs_CZ (charmap=ISO-8859-2)
>> Shell: /bin/sh linked to /bin/bash
>>
>>
>>
>> _______________________________________________
>> pkg-php-maint mailing list
>> pkg-php-maint at lists.alioth.debian.org
>> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
>>
>
>
>
> --
> Ondřej Surý <ondrej at sury.org>
> http://blog.rfc1925.org/
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint



-- 
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/

More information about the pkg-php-maint mailing list