Skip to content

security: restrict LOAD DATA LOCAL INFILE to query arguments with local_infile='only_args'#1248

Open
dfgvaetyj3456356-hash wants to merge 2 commits into
PyMySQL:mainfrom
dfgvaetyj3456356-hash:security/local-infile-only-args
Open

security: restrict LOAD DATA LOCAL INFILE to query arguments with local_infile='only_args'#1248
dfgvaetyj3456356-hash wants to merge 2 commits into
PyMySQL:mainfrom
dfgvaetyj3456356-hash:security/local-infile-only-args

Conversation

@dfgvaetyj3456356-hash

@dfgvaetyj3456356-hash dfgvaetyj3456356-hash commented May 29, 2026

Copy link
Copy Markdown

This addresses maintainer feedback from #1247. The new local_infile='only_args' mode restricts file loading to files explicitly passed as query arguments, preventing arbitrary file reads.

Security Researcher and others added 2 commits May 28, 2026 06:35
security: prevent path traversal in LOAD DATA LOCAL INFILE
1504c06
security: add local_infile='only_args' to restrict LOAD DATA LOCAL IN…
6fe9937 
…FILE

Adds a new local_infile='only_args' option that restricts LOAD DATA
LOCAL INFILE to only allow files explicitly passed as query arguments.
This prevents malicious MySQL servers from requesting arbitrary local
files while maintaining full backward compatibility.

- local_infile=True: existing behavior (allow any file)
- local_infile=False: existing behavior (reject all)
- local_infile='only_args': NEW - only allow files from query args

Fixes: CWE-22 (Path Traversal) in LOAD DATA LOCAL INFILE
Refs: PR PyMySQL#1247 maintainer feedback
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dfgvaetyj3456356-hash