Change Details

Ref T13238. See PHI1014. To attempt to defuse attacks based on "LOAD DATA INFILE LOCAL", set `MYSQLI_OPT_LOCAL_INFILE`. This option is documented as disabling local file loads. This doesn't actually work for me: I can still "LOAD DATA INFILE LOCAL" with this option set. However, it probably can't hurt? I'll dig into this a bit more before I land this change, I suspect this option must work sometimes and maybe it's just detecting that my client and server are both the same host or something. Separately, capture and raise errors from `mysqli->query()` which do not set the connection error code more accurately. Before this change, trying "LOAD DATA INFILE LOCAL" with "mysqli.allow_local_infile = 0" raised `Error #0: `. Now, it raises `EXCEPTION: (AphrontQueryException) #777777: mysqli::query(): LOAD DATA LOCAL INFILE forbidden`.

Ref T13238. See PHI1014. To attempt to defuse attacks based on "LOAD DATA INFILE LOCAL", set `MYSQLI_OPT_LOCAL_INFILE`. This option is documented as disabling local file loads. This doesn't actually work for me: I can still "LOAD DATA INFILE LOCAL" with this option set. However, it probably can't hurt? I'll dig into this a bit more before I land this change, I suspect this option must work sometimes and maybe it's just detecting that my client and server are both the same host or something. (Some amount of digging at least //suggests// this might be a simple bug where `mysqli. allow_local_infile` is overwriting the `options()` call.) Separately, capture and raise errors from `mysqli->query()` which do not set the connection error code more accurately. Before this change, trying "LOAD DATA INFILE LOCAL" with "mysqli.allow_local_infile = 0" raised `Error #0: `. Now, it raises `EXCEPTION: (AphrontQueryException) #777777: mysqli::query(): LOAD DATA LOCAL INFILE forbidden`.

Ref T13238. See PHI1014. To attempt to defuse attacks based on "LOAD DATA INFILE LOCAL", set `MYSQLI_OPT_LOCAL_INFILE`. This option is documented as disabling local file loads. This doesn't actually work for me: I can still "LOAD DATA INFILE LOCAL" with this option set. However, it probably can't hurt? I'll dig into this a bit more before I land this change, I suspect this option must work sometimes and maybe it's just detecting that my client and server are both the same host or something. (Some amount of digging at least //suggests// this might be a simple bug where `mysqli. allow_local_infile` is overwriting the `options()` call.) Separately, capture and raise errors from `mysqli->query()` which do not set the connection error code more accurately. Before this change, trying "LOAD DATA INFILE LOCAL" with "mysqli.allow_local_infile = 0" raised `Error #0: `. Now, it raises `EXCEPTION: (AphrontQueryException) #777777: mysqli::query(): LOAD DATA LOCAL INFILE forbidden`.