Security of the Load DATA local statement in MySQL

The load data statement can mount the files on the server host, and if the local keyword is specified, the client file can be loaded.

There are two possible security issues that support the local version of the load data statement:

· The transfer of the MySQL server boot file from the client to the server host. In theory, a patched server can tell the client that the file is selected by the transport server, rather than the file specified by the customer with the load data statement. This allows the server to access any files on the client's client that have read access.

· In a Web environment where a customer connects from a Web server, the user can use load DATA Local to read any file in which the Web server process has read access (assuming that the user can run any command of the SQL Server). In this environment, the client of the MySQL server is actually a Web server, not a program that the user who connects to the Web server runs.

To handle these issues, we changed the load DATA local processing in the MySQL 3.23.49 and MySQL 4.0.2 (4.0.13 in Windows):

· By default, now all binaries in the MySQL client and library are compiled with the--enable-local-infile option to be compatible with the MySQL 3.23.48 and previous versions.

· If you build MySQL from the source code but do not use the--enable-local-infile option to configure, the customer cannot use load DATA local unless you explicitly call Mysql_options (...). Mysql_opt_ local _infile,0). See section 25.2.3.48, "mysql_options ()".

· You can use the--local-infile=0 option to start mysqld Disable all load DATA Local commands from the server side.

· For MySQL command-line clients, the load DATA local can be enabled by specifying the--local-infile[=1] option or disabled by the--local-infile=0 option. Similarly, local data file mounts are enabled for the mysqlimport,--local or-l option. In any case, a successful local mount requires the server to enable related options.

· If you use a program that uses the load DATA local perl script or other [client] group in the read options file, you can add the local-infile=1 option to the group. However, in order to face the problem of not understanding the local-infile procedure, it is stipulated that the use of Loose-prefix:

·[client]
·loose-local-infile=1

• If the load DATA local infile is disabled on the server or client, the client attempting to execute the statement will receive the following error message:

ERROR 1148: The used command is not
allowed with this MySQL version