Hi, Alfranio!
On Feb 05, Alfranio Correia wrote:
> #At
> file:///home/acorreia/workspace.sun/repository.mysql/bzrwork/bug-38174/mysql-5.1-bugteam/
> based on revid:matthias.leich@stripped
>
> 2768 Alfranio Correia 2009-02-05
> BUG#38174 secure-file-priv breaks LOAD DATA INFILE replication
> in statement mode
>
> If secure-file-priv was set on slave, it became unable to
> execute LOAD DATA INFILE statements sent from master using mixed
> or statement-based replication.
>
> This patch fixes the issue by ignoring this security restriction
> while executing the SQL Thread.
I don't think it's a good idea. The restriction was there for a reason
and I'm not at all sure that one cannot exploit your fix by breaking out
of jail and reading files that should be not accessible otherwise.
To play it safe you need to ignore the restriction differently:
in the normal query thread you check opt_secure_file_priv as before, in
the slave thread, ignore opt_secure_file_priv, and (!) independently of
opt_secure_file_priv you verify that you load from
CONCAT(tmpdir, "SQL_LOAD-")
(and would be a good idea to move "SQL_LOAD-" to a constant, it's
currently used in two places as a string literal).
Regards / Mit vielen GrЭъen,
Sergei
--
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sergei Golubchik <serg@stripped>
/ /|_/ / // /\ \/ /_/ / /__ Principal Software Engineer/Server Architect
/_/ /_/\_, /___/\___\_\___/ Sun Microsystems GmbH, HRB MЭnchen 161028
<___/ Sonnenallee 1, 85551 Kirchheim-Heimstetten
GeschДftsfЭhrer: Thomas Schroeder, Wolfgang Engels, Dr. Roland Boemer
Vorsitzender des Aufsichtsrates: Martin HДring
