A malicious MySQL server can instruct MySQL clients to send it any file. See:
This is not normally exploitable (an attacker can't instruct Phabricator to connect to a MySQL server they control) but the existence of the capability is completely absurd and it's relatively easy to prevent:
It looks like the approach is:
- If we're using MySQLi, disable MYSQLI_OPT_LOCAL_INFILE.
- If we're not using MySQLI, raise a setup warning if mysql.allow_local_infile is enabled.