1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-29 18:22:41 +01:00

Add setup warnings for "local_infile" (MySQL Server) and "mysql[i].allow_local_infile" (PHP Client)

Summary: Ref T13238. Warn users about these horrible options and encourage them to defuse them.

Test Plan: Hit both warnings, fixed the issues, issues went away.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13238

Differential Revision: https://secure.phabricator.com/D19999
This commit is contained in:
epriestley 2019-01-18 09:35:45 -08:00
parent 310ad7f8f4
commit 98bf3a950d
2 changed files with 64 additions and 0 deletions

View file

@ -382,6 +382,34 @@ final class PhabricatorMySQLSetupCheck extends PhabricatorSetupCheck {
new PhutilNumber($delta)));
}
$local_infile = $ref->loadRawMySQLConfigValue('local_infile');
if ($local_infile) {
$summary = pht(
'The MySQL "local_infile" option is enabled. This option is '.
'unsafe.');
$message = pht(
'Your MySQL server is configured with the "local_infile" option '.
'enabled. This option allows an attacker who finds an SQL injection '.
'hole to escalate their attack by copying files from the webserver '.
'into the database with "LOAD DATA LOCAL INFILE" queries, then '.
'reading the file content with "SELECT" queries.'.
"\n\n".
'You should disable this option in your %s file, in the %s section:'.
"\n\n".
'%s',
phutil_tag('tt', array(), 'my.cnf'),
phutil_tag('tt', array(), '[mysqld]'),
phutil_tag('pre', array(), 'local_infile=0'));
$this->newIssue('mysql.local_infile')
->setName(pht('Unsafe MySQL "local_infile" Setting Enabled'))
->setSummary($summary)
->setMessage($message)
->setDatabaseRef($ref)
->addMySQLConfig('local_infile');
}
}
protected function shouldUseMySQLSearchEngine() {

View file

@ -112,6 +112,42 @@ final class PhabricatorPHPConfigSetupCheck extends PhabricatorSetupCheck {
->setMessage($message);
}
if (extension_loaded('mysqli')) {
$infile_key = 'mysqli.allow_local_infile';
} else {
$infile_key = 'mysql.allow_local_infile';
}
if (ini_get($infile_key)) {
$summary = pht(
'Disable unsafe option "%s" in PHP configuration.',
$infile_key);
$message = pht(
'PHP is currently configured to honor requests from any MySQL server '.
'it connects to for the content of any local file.'.
"\n\n".
'This capability supports MySQL "LOAD DATA LOCAL INFILE" queries, but '.
'allows a malicious MySQL server read access to the local disk: the '.
'server can ask the client to send the content of any local file, '.
'and the client will comply.'.
"\n\n".
'Although it is normally difficult for an attacker to convince '.
'Phabricator to connect to a malicious MySQL server, you should '.
'disable this option: this capability is unnecessary and inherently '.
'dangerous.'.
"\n\n".
'To disable this option, set: %s',
phutil_tag('tt', array(), pht('%s = 0', $infile_key)));
$this->newIssue('php.'.$infile_key)
->setName(pht('Unsafe PHP "Local Infile" Configuration'))
->setSummary($summary)
->setMessage($message)
->addPHPConfig($infile_key);
}
}
}