recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add setup warnings for "local_infile" (MySQL Server) and "mysql[i].allow_local_infile" (PHP Client)

Summary: Ref T13238. Warn users about these horrible options and encourage them to defuse them.

Test Plan: Hit both warnings, fixed the issues, issues went away.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13238

Differential Revision: https://secure.phabricator.com/D19999

epriestley 98bf3a95 310ad7f8

+64
+28
src/applications/config/check/PhabricatorMySQLSetupCheck.php
··· 382 382 new PhutilNumber($delta))); 383 383 } 384 384 385 + $local_infile = $ref->loadRawMySQLConfigValue('local_infile'); 386 + if ($local_infile) { 387 + $summary = pht( 388 + 'The MySQL "local_infile" option is enabled. This option is '. 389 + 'unsafe.'); 390 + 391 + $message = pht( 392 + 'Your MySQL server is configured with the "local_infile" option '. 393 + 'enabled. This option allows an attacker who finds an SQL injection '. 394 + 'hole to escalate their attack by copying files from the webserver '. 395 + 'into the database with "LOAD DATA LOCAL INFILE" queries, then '. 396 + 'reading the file content with "SELECT" queries.'. 397 + "\n\n". 398 + 'You should disable this option in your %s file, in the %s section:'. 399 + "\n\n". 400 + '%s', 401 + phutil_tag('tt', array(), 'my.cnf'), 402 + phutil_tag('tt', array(), '[mysqld]'), 403 + phutil_tag('pre', array(), 'local_infile=0')); 404 + 405 + $this->newIssue('mysql.local_infile') 406 + ->setName(pht('Unsafe MySQL "local_infile" Setting Enabled')) 407 + ->setSummary($summary) 408 + ->setMessage($message) 409 + ->setDatabaseRef($ref) 410 + ->addMySQLConfig('local_infile'); 411 + } 412 + 385 413 } 386 414 387 415 protected function shouldUseMySQLSearchEngine() {
+36
src/applications/config/check/PhabricatorPHPConfigSetupCheck.php
··· 112 112 ->setMessage($message); 113 113 } 114 114 115 + 116 + if (extension_loaded('mysqli')) { 117 + $infile_key = 'mysqli.allow_local_infile'; 118 + } else { 119 + $infile_key = 'mysql.allow_local_infile'; 120 + } 121 + 122 + if (ini_get($infile_key)) { 123 + $summary = pht( 124 + 'Disable unsafe option "%s" in PHP configuration.', 125 + $infile_key); 126 + 127 + $message = pht( 128 + 'PHP is currently configured to honor requests from any MySQL server '. 129 + 'it connects to for the content of any local file.'. 130 + "\n\n". 131 + 'This capability supports MySQL "LOAD DATA LOCAL INFILE" queries, but '. 132 + 'allows a malicious MySQL server read access to the local disk: the '. 133 + 'server can ask the client to send the content of any local file, '. 134 + 'and the client will comply.'. 135 + "\n\n". 136 + 'Although it is normally difficult for an attacker to convince '. 137 + 'Phabricator to connect to a malicious MySQL server, you should '. 138 + 'disable this option: this capability is unnecessary and inherently '. 139 + 'dangerous.'. 140 + "\n\n". 141 + 'To disable this option, set: %s', 142 + phutil_tag('tt', array(), pht('%s = 0', $infile_key))); 143 + 144 + $this->newIssue('php.'.$infile_key) 145 + ->setName(pht('Unsafe PHP "Local Infile" Configuration')) 146 + ->setSummary($summary) 147 + ->setMessage($message) 148 + ->addPHPConfig($infile_key); 149 + } 150 + 115 151 } 116 152 117 153 }