Spec-Zone .ru
спецификации, руководства, описания, API
|
|
Spec-Zone .ru
спецификации, руководства, описания, API
|
The LOAD DATA statement can load a file that is located on the server host, or it can
load a file that is located on the client host when the LOCAL keyword is specified.
There are two potential security issues with supporting the LOCAL version of LOAD
DATA statements:
The transfer of the file from the client host to the server host is initiated by
the MySQL server. In theory, a patched server could be built that would tell the client program to
transfer a file of the server's choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the
client host to which the client user has read access.
In a Web environment where the clients are connecting from a Web server, a user
could use LOAD DATA LOCAL to read any files that the Web server process has
read access to (assuming that a user could run any command against the SQL server). In this environment,
the client with respect to the MySQL server actually is the Web server, not the remote program being run
by the user who connects to the Web server.
To deal with these problems, we changed how LOAD
DATA LOCAL is handled as of MySQL 3.23.49 and MySQL 4.0.2 (4.0.13 on Windows):
By default, all MySQL clients and libraries in binary distributions are compiled
with the -DENABLED_LOCAL_INFILE=1
option, to be compatible with MySQL 3.23.48 and before.
If you build MySQL from source but do not invoke CMake
with the -DENABLED_LOCAL_INFILE=1
option, LOAD DATA LOCAL cannot be used by any client unless it is written
explicitly to invoke mysql_options(...
MYSQL_OPT_LOCAL_INFILE, 0). See Section 22.8.7.49,
"mysql_options()".
You can disable all LOAD DATA LOCAL statements from the server side by starting mysqld with the --local-infile=0 option.
For the mysql command-line client, enable LOAD DATA LOCAL by specifying the --local-infile[=1] option, or disable it with the --local-infile=0 option. For mysqlimport, local data file loading is off by default;
enable it with the --local
or -L option. In any case, successful use of a local load operation requires
that the server permits it.
If you use LOAD
DATA LOCAL in Perl scripts or other programs that read the [client] group from option files, you can add the local-infile=1
option to that group. However, to keep this from causing problems for programs that do not understand
local-infile, specify it using the loose-
prefix:
[client]loose-local-infile=1
If LOAD DATA
LOCAL is disabled, either in the server or the client, a client that attempts to issue such a
statement receives the following error message:
ERROR 1148: The used command is not allowed with this MySQL version