MySQL: Disallow LOAD DATA LOCAL INFILE

diff --git a/adminer/drivers/mysql.inc.php b/adminer/drivers/mysql.inc.php
index 9e4fe570402377c85f329bd8c9a84b2041cef7a7..c54ade0f77085e9405cb46b23126a0eaac731476 100644 (file)
--- a/adminer/drivers/mysql.inc.php
+++ b/adminer/drivers/mysql.inc.php
@@ -30,6 +30,7 @@ if (!defined("DRIVER")) {
                                        (!is_numeric($port) ? $port : $socket),
                                        ($ssl ? 64 : 0) // 64 - MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT (not available before PHP 5.6.16)
                                );
+                               $this->options(MYSQLI_OPT_LOCAL_INFILE, false);
                                return $return;
                        }
 
@@ -56,7 +57,7 @@ if (!defined("DRIVER")) {
                        }
                }
 
-       } elseif (extension_loaded("mysql") && !(ini_get("sql.safe_mode") && extension_loaded("pdo_mysql"))) {
+       } elseif (extension_loaded("mysql") && !((ini_bool("sql.safe_mode") || ini_bool("mysql.allow_local_infile")) && extension_loaded("pdo_mysql"))) {
                class Min_DB {
                        var
                                $extension = "MySQL", ///< @var string extension name
@@ -74,6 +75,10 @@ if (!defined("DRIVER")) {
                        * @return bool
                        */
                        function connect($server, $username, $password) {
+                               if (ini_bool("mysql.allow_local_infile")) {
+                                       $this->error = lang('Disable %s or enable %s or %s extensions.', "'mysql.allow_local_infile'", "MySQLi", "PDO_MySQL");
+                                       return false;
+                               }
                                $this->_link = @mysql_connect(
                                        ($server != "" ? $server : ini_get("mysql.default_host")),
                                        ("$server$username" != "" ? $username : ini_get("mysql.default_user")),
@@ -230,10 +235,10 @@ if (!defined("DRIVER")) {
 
                        function connect($server, $username, $password) {
                                global $adminer;
-                               $options = array();
+                               $options = array(PDO::MYSQL_ATTR_LOCAL_INFILE => false);
                                $ssl = $adminer->connectSsl();
                                if ($ssl) {
-                                       $options = array(
+                                       $options += array(
                                                PDO::MYSQL_ATTR_SSL_KEY => $ssl['key'],
                                                PDO::MYSQL_ATTR_SSL_CERT => $ssl['cert'],
                                                PDO::MYSQL_ATTR_SSL_CA => $ssl['ca'],

diff --git a/adminer/include/pdo.inc.php b/adminer/include/pdo.inc.php
index f5d2d34e3fe65a366ab4a23a7a3769a6dcaaab1b..14fb91cea5f15bd4af121c3d03c220475d291494 100644 (file)
--- a/adminer/include/pdo.inc.php
+++ b/adminer/include/pdo.inc.php
@@ -29,6 +29,9 @@ if (extension_loaded('pdo')) {
                        $this->error = "";
                        if (!$result) {
                                list(, $this->errno, $this->error) = $this->errorInfo();
+                               if (!$this->error) {
+                                       $this->error = lang('Unknown error.');
+                               }
                                return false;
                        }
                        $this->store_result($result);

diff --git a/adminer/lang/cs.inc.php b/adminer/lang/cs.inc.php
index ca0d59c748a9a256d381d607e0b7a75628fe10b8..baa3de9dec6f62794254327c2096935801fb9d83 100644 (file)
--- a/adminer/lang/cs.inc.php
+++ b/adminer/lang/cs.inc.php
@@ -22,6 +22,7 @@ $translations = array(
        'No extension' => 'Žádné rozšíření',
        'None of the supported PHP extensions (%s) are available.' => 'Není dostupné žádné z podporovaných PHP rozšíření (%s).',
        'Connecting to privileged ports is not allowed.' => 'Připojování k privilegovaným portům není povoleno.',
+       'Disable %s or enable %s or %s extensions.' => 'Zakažte %s nebo povolte extenze %s nebo %s.',
        'Session support must be enabled.' => 'Session proměnné musí být povolené.',
        'Session expired, please login again.' => 'Session vypršela, přihlašte se prosím znovu.',
        'The action will be performed after successful login with the same credentials.' => 'Akce bude provedena po úspěšném přihlášení se stejnými přihlašovacími údaji.',
@@ -54,6 +55,7 @@ $translations = array(
        'Query executed OK, %d row(s) affected.' => array('Příkaz proběhl v pořádku, byl změněn %d záznam.', 'Příkaz proběhl v pořádku, byly změněny %d záznamy.', 'Příkaz proběhl v pořádku, bylo změněno %d záznamů.'),
        'No commands to execute.' => 'Žádné příkazy k vykonání.',
        'Error in query' => 'Chyba v dotazu',
+       'Unknown error.' => 'Neznámá chyba.',
        'Warnings' => 'Varování',
        'ATTACH queries are not supported.' => 'Dotazy ATTACH nejsou podporované.',
        'Execute' => 'Provést',

diff --git a/adminer/lang/xx.inc.php b/adminer/lang/xx.inc.php
index 2c3babc5e80cfde028b9d56d0c8b7ca877a82907..73b9ed2d6a933b80820ea46de10bdc7404cbf67f 100644 (file)
--- a/adminer/lang/xx.inc.php
+++ b/adminer/lang/xx.inc.php
@@ -22,6 +22,7 @@ $translations = array(
        'No extension' => 'Xx',
        'None of the supported PHP extensions (%s) are available.' => 'Xx (%s).',
        'Connecting to privileged ports is not allowed.' => 'Xx.',
+       'Disable %s or enable %s or %s extensions.' => 'Xx %s xx %s xx %s xx.',
        'Session support must be enabled.' => 'Xx.',
        'Session expired, please login again.' => 'Xx.',
        'The action will be performed after successful login with the same credentials.' => 'Xx.',
@@ -54,6 +55,7 @@ $translations = array(
        'Query executed OK, %d row(s) affected.' => array('Xx, %d.', 'Xx, %d.'),
        'No commands to execute.' => 'Xx.',
        'Error in query' => 'Xx',
+       'Unknown error.' => 'Xx.',
        'Warnings' => 'Xx',
        'ATTACH queries are not supported.' => 'Xx.',
        'Execute' => 'Xx',

diff --git a/changes.txt b/changes.txt
index 0c6cd0de8b48399bf6ac7c7322419da6f5c7d640..e4a495470693b12f556edce83ec73d8a1ff2bfd4 100644 (file)
--- a/changes.txt
+++ b/changes.txt
@@ -7,6 +7,7 @@ Decrease timeout for running slow queries from 5 seconds to 2 seconds
 Fix displaying info about non-alphabetical objects (bug #599)
 Use secure cookies on HTTP if session.cookie_secure is set
 PDO: Support binary fields download
+MySQL: Disallow LOAD DATA LOCAL INFILE
 MySQL: Use CONVERT() only when searching for non-ASCII (bug #603)
 MySQL: Order database names in MySQL 8 (bug #613)
 PostgreSQL: Add SQL operator to search