Page MenuHomePhabricator
Files F15435081

D20004.diff
No OneTemporary
Actions

D20004.diff
View Options

diff --git a/src/aphront/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php b/src/aphront/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php
--- a/src/aphront/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php
+++ b/src/aphront/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php
@@ -64,18 +64,6 @@
$conn->options(MYSQLI_OPT_CONNECT_TIMEOUT, $timeout);
}
- // See T13238. Attempt to prevent "LOAD DATA LOCAL INFILE", which allows a
- // malicious server to ask the client for any file.
-
- // NOTE: See T13238. This option does not appear to ever have any effect.
- // Only the PHP level configuration of "mysqli.allow_local_infile" is
- // effective in preventing "LOAD DATA LOCAL INFILE". It appears that the
- // configuration option may overwrite the local option? Set the local
- // option to the desired (safe) value anyway in case this starts working
- // properly in some future version of PHP/MySQLi.
-
- $conn->options(MYSQLI_OPT_LOCAL_INFILE, 0);
-
if ($this->getPersistent()) {
$host = 'p:'.$host;
}
@@ -93,6 +81,11 @@
$this->throwConnectionException($errno, $error, $user, $host);
}
+ // See T13238. Attempt to prevent "LOAD DATA LOCAL INFILE", which allows a
+ // malicious server to ask the client for any file. At time of writing,
+ // this option MUST be set after "real_connect()" on all PHP versions.
+ $conn->options(MYSQLI_OPT_LOCAL_INFILE, 0);
+
$this->connectionOpen = true;
$ok = @$conn->set_charset('utf8mb4');

File Metadata

Mime Type
text/plain
Expires
Wed, Mar 26, 6:45 AM (2 w, 2 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7664481
Default Alt Text
D20004.diff (1 KB)

Event Timeline

Phabricator · Built by Phacility