MySQL2 LOCAL INFILE should be disabled by default.

MySQL LOCAL INFILE has been leveraged to perform file exfiltration in the [past][1].

Official [documentation][2] advise to disable this capability unless it is explicitly enabled.
```
To avoid LOAD DATA issues, clients should avoid using LOCAL unless proper client-side precautions have been taken.
```

May you consider disabling `LOCAL INFILE` by default in future `mysql2` releases?

Following the affected code that in null-y case will default to `1` (enabled)
```
    case MYSQL_OPT_LOCAL_INFILE:
      intval = (value == Qfalse ? 0 : 1);
      retval = &intval;
      break;
```

[1]: https://w00tsec.blogspot.com/2018/04/abusing-mysql-local-infile-to-read.html
[2]: https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

MySQL2 LOCAL INFILE should be disabled by default. #1127

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

MySQL2 LOCAL INFILE should be disabled by default. #1127

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions