mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-26 23:40:57 +01:00
Add setup warnings for "local_infile" (MySQL Server) and "mysql[i].allow_local_infile" (PHP Client)
Summary: Ref T13238. Warn users about these horrible options and encourage them to defuse them. Test Plan: Hit both warnings, fixed the issues, issues went away. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13238 Differential Revision: https://secure.phabricator.com/D19999
This commit is contained in:
parent
310ad7f8f4
commit
98bf3a950d
2 changed files with 64 additions and 0 deletions
|
@ -382,6 +382,34 @@ final class PhabricatorMySQLSetupCheck extends PhabricatorSetupCheck {
|
|||
new PhutilNumber($delta)));
|
||||
}
|
||||
|
||||
$local_infile = $ref->loadRawMySQLConfigValue('local_infile');
|
||||
if ($local_infile) {
|
||||
$summary = pht(
|
||||
'The MySQL "local_infile" option is enabled. This option is '.
|
||||
'unsafe.');
|
||||
|
||||
$message = pht(
|
||||
'Your MySQL server is configured with the "local_infile" option '.
|
||||
'enabled. This option allows an attacker who finds an SQL injection '.
|
||||
'hole to escalate their attack by copying files from the webserver '.
|
||||
'into the database with "LOAD DATA LOCAL INFILE" queries, then '.
|
||||
'reading the file content with "SELECT" queries.'.
|
||||
"\n\n".
|
||||
'You should disable this option in your %s file, in the %s section:'.
|
||||
"\n\n".
|
||||
'%s',
|
||||
phutil_tag('tt', array(), 'my.cnf'),
|
||||
phutil_tag('tt', array(), '[mysqld]'),
|
||||
phutil_tag('pre', array(), 'local_infile=0'));
|
||||
|
||||
$this->newIssue('mysql.local_infile')
|
||||
->setName(pht('Unsafe MySQL "local_infile" Setting Enabled'))
|
||||
->setSummary($summary)
|
||||
->setMessage($message)
|
||||
->setDatabaseRef($ref)
|
||||
->addMySQLConfig('local_infile');
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
protected function shouldUseMySQLSearchEngine() {
|
||||
|
|
|
@ -112,6 +112,42 @@ final class PhabricatorPHPConfigSetupCheck extends PhabricatorSetupCheck {
|
|||
->setMessage($message);
|
||||
}
|
||||
|
||||
|
||||
if (extension_loaded('mysqli')) {
|
||||
$infile_key = 'mysqli.allow_local_infile';
|
||||
} else {
|
||||
$infile_key = 'mysql.allow_local_infile';
|
||||
}
|
||||
|
||||
if (ini_get($infile_key)) {
|
||||
$summary = pht(
|
||||
'Disable unsafe option "%s" in PHP configuration.',
|
||||
$infile_key);
|
||||
|
||||
$message = pht(
|
||||
'PHP is currently configured to honor requests from any MySQL server '.
|
||||
'it connects to for the content of any local file.'.
|
||||
"\n\n".
|
||||
'This capability supports MySQL "LOAD DATA LOCAL INFILE" queries, but '.
|
||||
'allows a malicious MySQL server read access to the local disk: the '.
|
||||
'server can ask the client to send the content of any local file, '.
|
||||
'and the client will comply.'.
|
||||
"\n\n".
|
||||
'Although it is normally difficult for an attacker to convince '.
|
||||
'Phabricator to connect to a malicious MySQL server, you should '.
|
||||
'disable this option: this capability is unnecessary and inherently '.
|
||||
'dangerous.'.
|
||||
"\n\n".
|
||||
'To disable this option, set: %s',
|
||||
phutil_tag('tt', array(), pht('%s = 0', $infile_key)));
|
||||
|
||||
$this->newIssue('php.'.$infile_key)
|
||||
->setName(pht('Unsafe PHP "Local Infile" Configuration'))
|
||||
->setSummary($summary)
|
||||
->setMessage($message)
|
||||
->addPHPConfig($infile_key);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue