You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When local_infile=True is set on a connection, a malicious or compromised MySQL server can send a LOAD LOCAL INFILE request packet containing an arbitrary filename (e.g., ../../../etc/passwd). The client blindly opens the file and streams its contents back to the server.
Fix:
In LoadLocalFile.init(), resolve the server-provided filename to an absolute path using os.path.realpath()
Reject filenames that fall outside the current working directory
Uses the existing CR_LOAD_DATA_LOCAL_INFILE_REALPATH_FAIL error code (which was defined but never referenced in the codebase)
Added tests verifying path traversal and absolute path rejection
Note: The constant CR_LOAD_DATA_LOCAL_INFILE_REALPATH_FAIL = 2069 was already defined in pymysql/constants/CR.py, strongly suggesting that realpath validation was planned but never implemented. This PR completes that security hardening.
ja: まず初めに、信頼できないMySQLサーバーに接続するべきではありません。また、 local_infile=Fase を使用すれば、MySQLサーバーがローカルファイルを読み込むことを防止できます。
en: First of all, you should not connect to an untrusted MySQL server. Also, using local_infile=Fase can prevent the MySQL server from loading local files.
ja: LOAD LOCAL INFILE をより安全にする改良を考える余地はありますが、提案された設計は良くありません。データファイルがカレントディレクトリの外にある場合に後方互換性がなくなりますし、カレントディレクトリの下に盗まれたら問題のあるファイルが存在しないという保証もないからです。
en: There is room for improvement to make LOAD LOCAL INFILE more secure, but the proposed design is not good. It would break backward compatibility when the data file is outside the current directory, and there is no guarantee that a problematic file won't exist if it is stolen under the current directory.
ja: 簡単かつ高価的な対策として、 args に指定された文字列以外を対象とした LOAD LOCAL パケットをエラーにするアイデアがあります。後方互換性のために、この動作はデフォルトではなく load_infile="only_args" のようなオプションで有効にすることができるでしょう。
en: As a simple and effective countermeasure, there is an idea to make LOAD LOCAL packets that target anything other than the string specified in args an error. For backward compatibility, this behavior could be enabled with an option like load_infile="only_args" rather than being the default.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes a path traversal vulnerability in LOAD DATA LOCAL INFILE handling.
CWE: CWE-22 (Path Traversal)
File: pymysql/connections.py
When local_infile=True is set on a connection, a malicious or compromised MySQL server can send a LOAD LOCAL INFILE request packet containing an arbitrary filename (e.g., ../../../etc/passwd). The client blindly opens the file and streams its contents back to the server.
Fix:
Note: The constant CR_LOAD_DATA_LOCAL_INFILE_REALPATH_FAIL = 2069 was already defined in pymysql/constants/CR.py, strongly suggesting that realpath validation was planned but never implemented. This PR completes that security hardening.