10bet网址
MySQL 8.0 Reference Manual
Related Documentation Download this Manual Excerpts from this Manual

MySQL 8.0 Reference Manual/.../ Security Considerations for LOAD DATA LOCAL

6.1.6 Security Considerations for LOAD DATA LOCAL

TheLOAD DATAstatement loads a data file into a table. The statement can load a file located on the server host, or, if theLOCALkeyword is specified, on the client host.

TheLOCALversion ofLOAD DATAhas two potential security issues:

  • BecauseLOAD DATA LOCALis an SQL statement, parsing occurs on the server side, and transfer of the file from the client host to the server host is initiated by the MySQL server, which tells the client the file named in the statement. In theory, a patched server could tell the client program to transfer a file of the server's choosing rather than the file named in the statement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not justLOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)

  • In a Web environment where the clients are connecting from a Web server, a user could useLOAD DATA LOCALto read any files that the Web server process has read access to (assuming that a user could run any statement against the SQL server). In this environment, the client with respect to the MySQL server actually is the Web server, not a remote program being run by users who connect to the Web server.

To avoid connecting to untrusted servers, clients can establish a secure connection and verify the server identity by connecting using the--ssl-mode=VERIFY_IDENTITYoption and the appropriate CA certificate.

To avoidLOAD DATAissues, clients should avoid usingLOCALunless proper client-side precautions have been taken.

For control over local data loading, MySQL permits the capability to be enabled or disabled. In addition, as of MySQL 8.0.21, MySQL enables clients to restrict local data loading operations to files located in a designated directory.

Enabling or Disabling Local Data Loading Capability

Adminstrators and applications can configure whether to permit local data loading as follows:

  • On the server side:

    • Thelocal_infilesystem variable controls server-sideLOCALcapability. Depending on thelocal_infilesetting, the server refuses or permits local data loading by clients that request local data loading.

    • By default,local_infileis disabled. To explicitly cause the server to refuse or permitLOAD DATA LOCALstatements (regardless of how client programs and libraries are configured at build time or runtime), startmysqldwithlocal_infiledisabled or enabled.local_infilecan also be set at runtime.

  • On the client side:

    • TheENABLED_LOCAL_INFILECMakeoption controls the compiled-in defaultLOCALcapability for the MySQL client library (seeSection 2.9.7, “MySQL Source-Configuration Options”). Clients that make no explicit arrangements therefore haveLOCALcapability disabled or enabled according to theENABLED_LOCAL_INFILEsetting specified at MySQL build time.

    • By default, the client library in MySQL binary distributions is compiled withENABLED_LOCAL_INFILEdisabled. If you compile MySQL from source, configure it withENABLED_LOCAL_INFILEdisabled or enabled based on whether clients that make no explicit arrangements should haveLOCALcapability disabled or enabled.

    • For client programs that use the C API, local data loading capability is determined by the default compiled into the MySQL client library. To enable or disable it explicitly, invoke themysql_options()C API function to disable or enable theMYSQL_OPT_LOCAL_INFILEoption. Seemysql_options().

    • For themysqlclient, local data loading capability is determined by the default compiled into the MySQL client library. To disable or enable it explicitly, use the--local-infile=0or--local-infile[=1]option.

    • For themysqlimportclient, local data loading is not used by default. To disable or enable it explicitly, use the--local=0or--local[=1]option.

    • If you useLOAD DATA LOCALin Perl scripts or other programs that read the[client]group from option files, you can add alocal-infileoption setting to that group. To prevent problems for programs that do not understand this option, specify it using theloose-prefix:

      [client] loose-local-infile=0

      or:

      [client] loose-local-infile=1
    • 在所有情况下,successful use of aLOCALload operation by a client also requires that the server permits local loading.

IfLOCALcapability is disabled, on either the server or client side, a client that attempts to issue aLOAD DATA LOCALstatement receives the following error message:

ERROR 3950 (42000): Loading local data is disabled; this must be enabled on both the client and server side

Restricting Files Permitted for Local Data Loading

As of MySQL 8.0.21, the MySQL client library enables client applications to restrict local data loading operations to files located in a designated directory. Certain MySQL client programs take advantage of this capability.

Client programs that use the C API can control which files to permit for load data loading using theMYSQL_OPT_LOCAL_INFILEandMYSQL_OPT_LOAD_DATA_LOCAL_DIRoptions of themysql_options()C API function (seemysql_options()).

The effect ofMYSQL_OPT_LOAD_DATA_LOCAL_DIRdepends on whetherLOCALdata loading is enabled or disabled:

  • IfLOCALdata loading is enabled, either by default in the MySQL client library or by explicitly enablingMYSQL_OPT_LOCAL_INFILE,MYSQL_OPT_LOAD_DATA_LOCAL_DIRoption has no effect.

  • IfLOCALdata loading is disabled, either by default in the MySQL client library or by explicitly disablingMYSQL_OPT_LOCAL_INFILE,MYSQL_OPT_LOAD_DATA_LOCAL_DIRoption can be used to designate a permitted directory for locally loaded files. In this case,LOCALdata loading is permitted but restricted to files located in the designated directory. Interpretation of theMYSQL_OPT_LOAD_DATA_LOCAL_DIRvalue is as follows:

    • If the value is the null pointer (the default), it names no directory, with the result that no files are permitted forLOCALdata loading.

    • If the value is a directory path name,LOCALdata loading is permitted but restricted to files located in the named directory. Comparison of the directory path name and the path name of files to be loaded is case-sensitive regardless of the case sensitivity of the underlying file system.

MySQL client programs use the precedingmysql_options()options as follows:

  • Themysqlclient has a--load-data-local-diroption that takes a directory path or an empty string.mysqluses the option value to set theMYSQL_OPT_LOAD_DATA_LOCAL_DIRoption (with an empty string setting the value to the null pointer). The effect of--load-data-local-dirdepends on whetherLOCALdata loading is enabled:

    When--load-data-local-dirapplies, the option value designates the directory in which local data files must be located. Comparison of the directory path name and the path name of files to be loaded is case-sensitive regardless of the case sensitivity of the underlying file system. If the option value is the empty string, it names no directory, with the result that no files are permitted for local data loading.

  • mysqlimportsetsMYSQL_OPT_LOAD_DATA_LOCAL_DIRfor each file that it processes so that the directory containing the file is the permitted local loading directory.

  • For data loading operations corresponding toLOAD DATAstatements,mysqlbinlogextracts the files from the binary log events, writes them as temporary files to the local file system, and writesLOAD DATA LOCALstatements to cause the files to be loaded. By default,mysqlbinlogwrites these temporary files to an operating system-specific directory. The--local-loadoption can be used to explicitly specify the directory wheremysqlbinlogshould prepare local temporary files.

    Because other processes can write files to the default system-specific directory, it is advisable to specify the--local-loadoption tomysqlbinlogto designate a different directory for data files, and then designate that same directory by specifying the--load-data-local-diroption tomysqlwhen processing the output frommysqlbinlog.

MySQL Shell and Local Data Loading

MySQL Shell provides a number of utilities to dump tables, schemas, or server instances and load them into other instances. When you use these utilities to handle the data, MySQL Shell provides additional functions such as input preprocessing, multithreaded parallel loading, file compression and decompression, and handling access to Oracle Cloud Infrastructure Object Storage buckets. To get the best functionality, always use the most recent version available of MySQL Shell's dump and dump loading utilities.

MySQL Shell's data upload utilities useLOAD DATA LOCAL INFILEstatements to upload data, so thelocal_infilesystem variable must be set toONon the target server instance. You can do this before uploading the data, and remove it again afterwards. The utilities handle the file transfer requests safely to deal with the security considerations discussed in this topic.

MySQL Shell includes these dump and dump loading utilities:

Table export utilityutil.exportTable()

Exports a MySQL relational table into a data file, which can be uploaded to a MySQL server instance using MySQL Shell's parallel table import utility, imported to a different application, or used as a logical backup. The utility has preset options and customization options to produce different output formats.

Parallel table import utilityutil.importTable()

Inports a data file to a MySQL relational table. The data file can be the output from MySQL Shell's table export utility or another format supported by the utility's preset and customization options. The utility can carry out input preprocessing before adding the data to the table. It can accept multiple data files to merge into a single relational table, and automatically decompresses compressed files.

Instance dump utilityutil.dumpInstance(), schema dump utilityutil.dumpSchemas(), and table dump utilityutil.dumpTables()

Export an instance, schema, or table to a set of dump files, which can then be uploaded to a MySQL instance using MySQL Shell's dump loading utility. The utilities provide Oracle Cloud Infrastructure Object Storage streaming, MySQL Database Service compatibility checks and modifications, and the ability to carry out a dry run to identify issues before proceeding with the dump.

Dump loading utilityutil.loadDump()

Import dump files created using MySQL Shell's instance, schema, or table dump utility into a MySQL Database Service DB System or a MySQL Server instance. The utility manages the upload process and provides data streaming from remote storage, parallel loading of tables or table chunks, progress state tracking, resume and reset capability, and the option of concurrent loading while the dump is still taking place. MySQL Shell’s parallel table import utility can be used in combination with the dump loading utility to modify data before uploading it to the target MySQL instance.

For details of the utilities, seeMySQL Shell Utilities.