#21356 [Com]: LOAD DATA issue
ID: 21356 Comment by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: MySQL related Operating System: Slackware PHP Version: 4.3.0 New Comment: This security patch is extremely dubious on MySQL clients standalone, much less PHP. It purports to prevent patched MySQL clients/servers from causing problems by reading local files, but if you have a patched MySQL server, you have a much, much worse problem than remote file reads. Besides, if you can read arbitrary files using MySQL, you can do the same for PHP. This should have never entered the code stream, and really ought to be disabled (it's turned off by default in 3.23.49a and subsequent). Previous Comments: [2003-02-01 14:27:42] [EMAIL PROTECTED] This bug is found and test with W2K and NT4.0 PhP 4.3.0 Try with Mysql 3.23.53 - 3.23.54 - 3.23.55 Was not present PhP version before ( 4.2.4-dev snapshot from the 24 October 2002 Why this bug ??? Is there a lack in Quality Test... found this in the news.txt disto - Fixed a security bug in the bundled MySQL library. (Georg, Stefan) question why 3.23.49 client version as Mysql released very more up to date lib at the build 4.3. date. Could this be corrected in the snapshot-stable version. Thank ... have lost to much time today with this. [2003-01-29 14:59:16] [EMAIL PROTECTED] BASE microarray software requires this function. On gentoo I had to build mysql first after adding the flag, then rebuild php to get the functionality included. [2003-01-02 17:53:01] [EMAIL PROTECTED] Didn't try that specifically, but the problem does not exist if I use mysql from the command line. I 'solved' this for my immediate situation by removing the 'if' around the infile check in ext/mysql/libmysql/libmysql.c Here (line 1025?): /* Only enable LOAD DATA INFILE by default if configured with --with-enabled-local-inflile */ #ifdef ENABLED_LOCAL_INFILE mysql-options.client_flag|= CLIENT_LOCAL_FILES; #endif return mysql; is now: /* Only enable LOAD DATA INFILE by default if configured with --with-enabled-local-inflile */ mysql-options.client_flag|= CLIENT_LOCAL_FILES; return mysql; recompiled everything and it works. I'd tried to recompile PHP with '--with-enabled-local-inflile' (and the properly spelled '--with-enabled-local-infile') and neither worked. The only thing that worked was removing the IF stuff in the .c file. [2003-01-02 17:26:10] [EMAIL PROTECTED] Does the problem go away if you tell PHP to use your MySQL's headers rather then the ones bundled with PHP? [2003-01-02 16:46:14] [EMAIL PROTECTED] PHP 4.2.1 and MySQL system set up allowed users using the phpMyAdmin system to use the LOAD DATA INFILE functionality. ONLY thing changed was upgrading to PHP 4.3, and now that functionality produces the error 'The used command is not allowed with this MySQL version'. Seeing as how no other software changed, this seems to point to the bundled PHP MySQL client (which we're using) to not enabling the '--enable-local-infile' flag. === From the MySQL manual: By default, all MySQL clients and libraries are compiled with --enable-local-infile, to be compatible with MySQL 3.23.48 and before. One can disable all LOAD DATA LOCAL commands in the MySQL server by starting mysqld with --local-infile=0. In the case that LOAD DATA LOCAL INFILE is disabled in the server or the client, you will get the error message (1148): The used command is not allowed with this MySQL version Since we're using the --local-infile=1 to start the MySQL daemon, that points to the PHP 4.3 bundled client library being the culprit. -- Edit this bug report at http://bugs.php.net/?id=21356edit=1
#21356 [Com]: LOAD DATA issue
ID: 21356 Comment by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: MySQL related Operating System: Slackware PHP Version: 4.3.0 New Comment: This bug is found and test with W2K and NT4.0 PhP 4.3.0 Try with Mysql 3.23.53 - 3.23.54 - 3.23.55 Was not present PhP version before ( 4.2.4-dev snapshot from the 24 October 2002 Why this bug ??? Is there a lack in Quality Test... found this in the news.txt disto - Fixed a security bug in the bundled MySQL library. (Georg, Stefan) question why 3.23.49 client version as Mysql released very more up to date lib at the build 4.3. date. Could this be corrected in the snapshot-stable version. Thank ... have lost to much time today with this. Previous Comments: [2003-01-29 14:59:16] [EMAIL PROTECTED] BASE microarray software requires this function. On gentoo I had to build mysql first after adding the flag, then rebuild php to get the functionality included. [2003-01-02 17:53:01] [EMAIL PROTECTED] Didn't try that specifically, but the problem does not exist if I use mysql from the command line. I 'solved' this for my immediate situation by removing the 'if' around the infile check in ext/mysql/libmysql/libmysql.c Here (line 1025?): /* Only enable LOAD DATA INFILE by default if configured with --with-enabled-local-inflile */ #ifdef ENABLED_LOCAL_INFILE mysql-options.client_flag|= CLIENT_LOCAL_FILES; #endif return mysql; is now: /* Only enable LOAD DATA INFILE by default if configured with --with-enabled-local-inflile */ mysql-options.client_flag|= CLIENT_LOCAL_FILES; return mysql; recompiled everything and it works. I'd tried to recompile PHP with '--with-enabled-local-inflile' (and the properly spelled '--with-enabled-local-infile') and neither worked. The only thing that worked was removing the IF stuff in the .c file. [2003-01-02 17:26:10] [EMAIL PROTECTED] Does the problem go away if you tell PHP to use your MySQL's headers rather then the ones bundled with PHP? [2003-01-02 16:46:14] [EMAIL PROTECTED] PHP 4.2.1 and MySQL system set up allowed users using the phpMyAdmin system to use the LOAD DATA INFILE functionality. ONLY thing changed was upgrading to PHP 4.3, and now that functionality produces the error 'The used command is not allowed with this MySQL version'. Seeing as how no other software changed, this seems to point to the bundled PHP MySQL client (which we're using) to not enabling the '--enable-local-infile' flag. === From the MySQL manual: By default, all MySQL clients and libraries are compiled with --enable-local-infile, to be compatible with MySQL 3.23.48 and before. One can disable all LOAD DATA LOCAL commands in the MySQL server by starting mysqld with --local-infile=0. In the case that LOAD DATA LOCAL INFILE is disabled in the server or the client, you will get the error message (1148): The used command is not allowed with this MySQL version Since we're using the --local-infile=1 to start the MySQL daemon, that points to the PHP 4.3 bundled client library being the culprit. -- Edit this bug report at http://bugs.php.net/?id=21356edit=1
#21356 [Com]: LOAD DATA issue
ID: 21356 Comment by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: MySQL related Operating System: Slackware PHP Version: 4.3.0 New Comment: BASE microarray software requires this function. On gentoo I had to build mysql first after adding the flag, then rebuild php to get the functionality included. Previous Comments: [2003-01-02 17:53:01] [EMAIL PROTECTED] Didn't try that specifically, but the problem does not exist if I use mysql from the command line. I 'solved' this for my immediate situation by removing the 'if' around the infile check in ext/mysql/libmysql/libmysql.c Here (line 1025?): /* Only enable LOAD DATA INFILE by default if configured with --with-enabled-local-inflile */ #ifdef ENABLED_LOCAL_INFILE mysql-options.client_flag|= CLIENT_LOCAL_FILES; #endif return mysql; is now: /* Only enable LOAD DATA INFILE by default if configured with --with-enabled-local-inflile */ mysql-options.client_flag|= CLIENT_LOCAL_FILES; return mysql; recompiled everything and it works. I'd tried to recompile PHP with '--with-enabled-local-inflile' (and the properly spelled '--with-enabled-local-infile') and neither worked. The only thing that worked was removing the IF stuff in the .c file. [2003-01-02 17:26:10] [EMAIL PROTECTED] Does the problem go away if you tell PHP to use your MySQL's headers rather then the ones bundled with PHP? [2003-01-02 16:46:14] [EMAIL PROTECTED] PHP 4.2.1 and MySQL system set up allowed users using the phpMyAdmin system to use the LOAD DATA INFILE functionality. ONLY thing changed was upgrading to PHP 4.3, and now that functionality produces the error 'The used command is not allowed with this MySQL version'. Seeing as how no other software changed, this seems to point to the bundled PHP MySQL client (which we're using) to not enabling the '--enable-local-infile' flag. === From the MySQL manual: By default, all MySQL clients and libraries are compiled with --enable-local-infile, to be compatible with MySQL 3.23.48 and before. One can disable all LOAD DATA LOCAL commands in the MySQL server by starting mysqld with --local-infile=0. In the case that LOAD DATA LOCAL INFILE is disabled in the server or the client, you will get the error message (1148): The used command is not allowed with this MySQL version Since we're using the --local-infile=1 to start the MySQL daemon, that points to the PHP 4.3 bundled client library being the culprit. -- Edit this bug report at http://bugs.php.net/?id=21356edit=1
