Add setup warnings for "local_infile" (MySQL Server) and "mysql[i].allow_local_infile" (PHP Client)

Summary: Ref T13238. Warn users about these horrible options and encourage them to defuse them. Test Plan: Hit both warnings, fixed the issues, issues went away. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13238 Differential Revision: https://secure.phabricator.com/D19999
2024-11-26 08:42:41 +01:00 · 2019-01-18 09:35:45 -08:00 · 2019-01-18 09:35:45 -08:00 · 98bf3a950d
commit 98bf3a950d
parent 310ad7f8f4
2 changed files with 64 additions and 0 deletions
--- a/src/applications/config/check/PhabricatorMySQLSetupCheck.php
+++ b/src/applications/config/check/PhabricatorMySQLSetupCheck.php
@ -382,6 +382,34 @@ final class PhabricatorMySQLSetupCheck extends PhabricatorSetupCheck {
            new PhutilNumber($delta)));
    }

+    $local_infile = $ref->loadRawMySQLConfigValue('local_infile');
+    if ($local_infile) {
+      $summary = pht(
+        'The MySQL "local_infile" option is enabled. This option is '.
+        'unsafe.');
+
+      $message = pht(
+        'Your MySQL server is configured with the "local_infile" option '.
+        'enabled. This option allows an attacker who finds an SQL injection '.
+        'hole to escalate their attack by copying files from the webserver '.
+        'into the database with "LOAD DATA LOCAL INFILE" queries, then '.
+        'reading the file content with "SELECT" queries.'.
+        "\n\n".
+        'You should disable this option in your %s file, in the %s section:'.
+        "\n\n".
+        '%s',
+        phutil_tag('tt', array(), 'my.cnf'),
+        phutil_tag('tt', array(), '[mysqld]'),
+        phutil_tag('pre', array(), 'local_infile=0'));
+
+      $this->newIssue('mysql.local_infile')
+        ->setName(pht('Unsafe MySQL "local_infile" Setting Enabled'))
+        ->setSummary($summary)
+        ->setMessage($message)
+        ->setDatabaseRef($ref)
+        ->addMySQLConfig('local_infile');
+    }
+
  }

  protected function shouldUseMySQLSearchEngine() {
--- a/src/applications/config/check/PhabricatorPHPConfigSetupCheck.php
+++ b/src/applications/config/check/PhabricatorPHPConfigSetupCheck.php
@ -112,6 +112,42 @@ final class PhabricatorPHPConfigSetupCheck extends PhabricatorSetupCheck {
        ->setMessage($message);
    }

+
+    if (extension_loaded('mysqli')) {
+      $infile_key = 'mysqli.allow_local_infile';
+    } else {
+      $infile_key = 'mysql.allow_local_infile';
+    }
+
+    if (ini_get($infile_key)) {
+      $summary = pht(
+        'Disable unsafe option "%s" in PHP configuration.',
+        $infile_key);
+
+      $message = pht(
+        'PHP is currently configured to honor requests from any MySQL server '.
+        'it connects to for the content of any local file.'.
+        "\n\n".
+        'This capability supports MySQL "LOAD DATA LOCAL INFILE" queries, but '.
+        'allows a malicious MySQL server read access to the local disk: the '.
+        'server can ask the client to send the content of any local file, '.
+        'and the client will comply.'.
+        "\n\n".
+        'Although it is normally difficult for an attacker to convince '.
+        'Phabricator to connect to a malicious MySQL server, you should '.
+        'disable this option: this capability is unnecessary and inherently '.
+        'dangerous.'.
+        "\n\n".
+        'To disable this option, set: %s',
+        phutil_tag('tt', array(), pht('%s = 0', $infile_key)));
+
+      $this->newIssue('php.'.$infile_key)
+        ->setName(pht('Unsafe PHP "Local Infile" Configuration'))
+        ->setSummary($summary)
+        ->setMessage($message)
+        ->addPHPConfig($infile_key);
+    }
+
  }

 }