[MDEV-24186] Safe LOAD DATA LOCAL INFILE handling Created: 2020-11-10 Updated: 2024-01-15 Resolved: 2024-01-15 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Protocol |
| Fix Version/s: | N/A |
| Type: | Task | Priority: | Major |
| Reporter: | Georg Richter | Assignee: | Georg Richter |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||
| Description |
|
This is the server counter part of CONC-515. Safe LOAD DATA LOCAL INFILE handling will be indicated by the capability flag MARIADB_CLIENT_SAFE_LOCAL_INFILE. If the client indicates that is is able to handle LOAD DATA LOCAL INFILE in a safely manner (MARIADB_CLIENT_SAFE_LOCAL_INFILE was set), the server will not send the filename anymore to the server. The setting local_infile=0 will not disable LOAD DATA LOCAL INFILE, if both client and server support safe local infile handling. |
| Comments |
| Comment by Sergei Golubchik [ 2024-01-15 ] |
|
It doesn't make much sense to fix LOAD DATA LOCAL INFILE security on the server. The whole problem is that the client doesn't trust the server to request file names, so no matter what is changed on the server it won't fix the trust issue. It has to be solved on the client side. |