[CONJ-1322] Match LOAD LOCAL INFILE filename case-sensitively - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.3.5, 3.4.3, 2.7.14, 3.5.9
Component/s: security
Labels:
None

Description

When the server requests a local file (LOAD DATA/XML LOCAL INFILE), the connector validates that the requested filename matches the one in the client's SQL statement, so a rogue or man-in-the-middle server cannot request an arbitrary file.

That validation compared the filename case-insensitively. On case-sensitive filesystems (Linux), a path differing only in case is a distinct file, so the check was slightly looser than the actual filesystem semantics.

from https://github.com/mariadb-corporation/mariadb-connector-j/pull/225

Attachments

Activity

People

Assignee:: Diego Dupin

Reporter:: Diego Dupin

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 1 week ago 15:42

Updated:: 1 week ago 15:49

Resolved:: 1 week ago 15:44

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.