MySQL has released a security statement providing the following information:
LOAD DATA statement can load a file located on the server host, or, if the
LOCAL keyword is specified, on the client host.
There are two potential security issues with the
- The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the
LOAD DATAstatement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not just
LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)
- In a Web environment where the clients are connecting from a Web server, a user could use
LOAD DATA LOCALto read any files that the Web server process has read access to (assuming that a user could run any statement against the SQL server). In this environment, the client with respect to the MySQL server actually is the Web server, not a remote program being run by users who connect to the Web server.
LOAD DATA issues, clients should avoid using
LOCAL. To avoid connecting to untrusted servers, clients can establish a secure connection and verify the server identity by connecting using the
--ssl-mode=VERIFY_IDENTITY option and the appropriate CA certificate.