Fix for Bug#30866178, Not recommended default for 'allowLoadLocalInfile'. Back-port from Bug#94051 (29261254).

Author: fjssilva

CHANGES

@@ -3,6 +3,8 @@
 
 Version 5.1.49
 
+  - Fix for Bug#30866178, Not recommended default for 'allowLoadLocalInfile'. Back-port from Bug#94051 (29261254).
+
   - Fix for Bug#30657312, Disable external entities in Fabric's XML parser.
 
   - Fix for Bug#96442 (30151808), INCORRECT DATE ERROR WHEN CALLING GETMETADATA ON PREPARED STATEMENT.

src/com/mysql/jdbc/ConnectionPropertiesImpl.java

@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
 
   The MySQL Connector/J is licensed under the terms of the GPLv2
   <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most MySQL Connectors.
@@ -668,7 +668,7 @@ protected static DriverPropertyInfo[] exposeAsDriverPropertyInfo(Properties info
         }).exposeAsDriverPropertyInfoInternal(info, slotsToReserve);
     }
 
-    private BooleanConnectionProperty allowLoadLocalInfile = new BooleanConnectionProperty("allowLoadLocalInfile", true,
+    private BooleanConnectionProperty allowLoadLocalInfile = new BooleanConnectionProperty("allowLoadLocalInfile", false,
             Messages.getString("ConnectionProperties.loadDataLocal"), "3.0.3", SECURITY_CATEGORY, Integer.MAX_VALUE);
 
     private BooleanConnectionProperty allowMultiQueries = new BooleanConnectionProperty("allowMultiQueries", false,

src/com/mysql/jdbc/LocalizedErrorMessages.properties

@@ -455,7 +455,7 @@ ConnectionProperties.categorySecurity=Security
 # ConnectionProperty Descriptions
 #
 
-ConnectionProperties.loadDataLocal=Should the driver allow use of 'LOAD DATA LOCAL INFILE...' (defaults to 'true').
+ConnectionProperties.loadDataLocal=Should the driver allow use of 'LOAD DATA LOCAL INFILE...'?
 ConnectionProperties.replicationEnableJMX=Enables JMX-based management of replication connection groups, including live slave promotion, addition of new slaves and removal of master or slave hosts from load-balanced master and slave connection pools.
 ConnectionProperties.replicationConnectionGroup=Logical group of replication connections within a classloader, used to manage different groups independently. If not specified, live management of replication connections is disabled.
 ConnectionProperties.allowMasterDownConnections=By default, a replication-aware connection will fail to connect when configured master hosts are all unavailable at initial connection. Setting this property to 'true' allows to establish the initial connection, by failing over to the slave servers, in read-only state. It won't prevent subsequent failures when switching back to the master hosts i.e. by setting the replication connection to read/write state.

src/testsuite/regression/ConnectionRegressionTest.java

@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
 
   The MySQL Connector/J is licensed under the terms of the GPLv2
   <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most MySQL Connectors.
@@ -4911,6 +4911,7 @@ public void testBug11237() throws Exception {
         }
 
         Properties props = new Properties();
+        props.put("allowLoadLocalInfile", "true");
         props.put("useCompression", "true");
         Connection conn1 = getConnectionWithProps(props);
         Statement stmt1 = conn1.createStatement();
@@ -4919,7 +4920,6 @@ public void testBug11237() throws Exception {
                 + CharsetMapping.getMysqlCharsetForJavaEncoding(((MySQLConnection) this.conn).getEncoding(), (com.mysql.jdbc.Connection) conn1));
 
         assertTrue(updateCount == loops);
-
     }
 
     public void testStackOverflowOnMissingInterceptor() throws Exception {

src/testsuite/regression/StatementRegressionTest.java

@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
 
   The MySQL Connector/J is licensed under the terms of the GPLv2
   <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most MySQL Connectors.
@@ -2255,8 +2255,25 @@ public void testLoadData() throws Exception {
             } else {
                 fileNameBuf = new StringBuilder(tempFile.getAbsolutePath());
             }
+            final String fileName = fileNameBuf.toString();
+
+            assertThrows(SQLException.class,
+                    versionMeetsMinimum(8, 0, 19) ? "Loading local data is disabled;.*" : "The used command is not allowed with this MySQL version",
+                    new Callable<Void>() {
+                        public Void call() throws Exception {
+                            StatementRegressionTest.this.stmt
+                                    .executeUpdate("LOAD DATA LOCAL INFILE '" + fileName + "' INTO TABLE loadDataRegress CHARACTER SET "
+                                            + CharsetMapping.getMysqlCharsetForJavaEncoding(((MySQLConnection) StatementRegressionTest.this.conn).getEncoding(),
+                                                    (com.mysql.jdbc.Connection) StatementRegressionTest.this.conn));
+                            return null;
+                        }
+                    });
 
-            int updateCount = this.stmt.executeUpdate("LOAD DATA LOCAL INFILE '" + fileNameBuf.toString() + "' INTO TABLE loadDataRegress CHARACTER SET "
+            Properties props = new Properties();
+            props.setProperty("allowLoadLocalInfile", "true");
+            Connection testConn = getConnectionWithProps(props);
+            int updateCount = testConn.createStatement().executeUpdate("LOAD DATA LOCAL INFILE '" + fileNameBuf.toString()
+                    + "' INTO TABLE loadDataRegress CHARACTER SET "
                     + CharsetMapping.getMysqlCharsetForJavaEncoding(((MySQLConnection) this.conn).getEncoding(), (com.mysql.jdbc.Connection) this.conn));
             assertTrue(updateCount == rowCount);
         } finally {
@@ -8841,4 +8858,4 @@ public void testBug96442() throws Exception {
 
     }
 
-}
+}

src/testsuite/simple/ConnectionTest.java

@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
 
   The MySQL Connector/J is licensed under the terms of the GPLv2
   <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most MySQL Connectors.
@@ -733,6 +733,7 @@ public void testLocalInfileWithUrl() throws Exception {
         createTable("testLocalInfileWithUrl", "(field1 LONGTEXT)");
 
         Properties props = new Properties();
+        props.setProperty("allowLoadLocalInfile", "true");
         props.setProperty("allowUrlInLocalInfile", "true");
 
         Connection loadConn = getConnectionWithProps(props);
@@ -784,25 +785,40 @@ public void testLocalInfileWithUrl() throws Exception {
     public void testLocalInfileDisabled() throws Exception {
         createTable("testLocalInfileDisabled", "(field1 varchar(255))");
 
-        File infile = File.createTempFile("foo", "txt");
+        final File infile = File.createTempFile("foo", "txt");
         infile.deleteOnExit();
         //String url = infile.toURL().toExternalForm();
         FileWriter output = new FileWriter(infile);
         output.write("Test");
         output.flush();
         output.close();
 
-        Connection loadConn = getConnectionWithProps(new Properties());
+        // Test load local infile support disabled via client capabilities by default.
+        assertThrows(SQLException.class,
+                versionMeetsMinimum(8, 0, 19) ? "Loading local data is disabled;.*" : "The used command is not allowed with this MySQL version",
+                new Callable<Void>() {
+                    public Void call() throws Exception {
+                        ConnectionTest.this.stmt.executeUpdate("LOAD DATA LOCAL INFILE '" + infile.getCanonicalPath() + "' INTO TABLE testLocalInfileDisabled");
+                        return null;
+                    }
+                });
+
+        // Test load local infile support enabled via client capabilities but disabled on the connector.
+        Properties props = new Properties();
+        props.setProperty("allowLoadLocalInfile", "true");
+        final Connection loadConn = getConnectionWithProps(props);
 
         try {
-            // have to do this after connect, otherwise it's the server that's enforcing it
-            ((com.mysql.jdbc.Connection) loadConn).setAllowLoadLocalInfile(false);
-            try {
-                loadConn.createStatement().execute("LOAD DATA LOCAL INFILE '" + infile.getCanonicalPath() + "' INTO TABLE testLocalInfileDisabled");
-                fail("Should've thrown an exception.");
-            } catch (SQLException sqlEx) {
-                assertEquals(SQLError.SQL_STATE_GENERAL_ERROR, sqlEx.getSQLState());
-            }
+            // Must be set after connect, otherwise it's the server that's enforcing it.
+            ((ConnectionProperties) loadConn).setAllowLoadLocalInfile(false);
+
+            assertThrows(SQLException.class, "Server asked for stream in response to LOAD DATA LOCAL INFILE but functionality is disabled at client by "
+                    + "'allowLoadLocalInfile' being set to 'false'\\.", new Callable<Void>() {
+                        public Void call() throws Exception {
+                            loadConn.createStatement().execute("LOAD DATA LOCAL INFILE '" + infile.getCanonicalPath() + "' INTO TABLE testLocalInfileDisabled");
+                            return null;
+                        }
+                    });
 
             assertFalse(loadConn.createStatement().executeQuery("SELECT * FROM testLocalInfileDisabled").next());
         } finally {

src/testsuite/simple/StatementsTest.java

@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
 
   The MySQL Connector/J is licensed under the terms of the GPLv2
   <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most MySQL Connectors.
@@ -1758,20 +1758,27 @@ public void testLocalInfileHooked() throws Exception {
         createTable("localInfileHooked", "(field1 int, field2 varchar(255))");
         String streamData = "1\tabcd\n2\tefgh\n3\tijkl";
         InputStream stream = new ByteArrayInputStream(streamData.getBytes());
+
+        Properties props = new Properties();
+        props.setProperty("allowLoadLocalInfile", "true");
+        Connection testConn = getConnectionWithProps(props);
+        Statement testStmt = testConn.createStatement();
+
         try {
-            ((com.mysql.jdbc.Statement) this.stmt).setLocalInfileInputStream(stream);
-            this.stmt.execute("LOAD DATA LOCAL INFILE 'bogusFileName' INTO TABLE localInfileHooked CHARACTER SET "
+            ((com.mysql.jdbc.Statement) testStmt).setLocalInfileInputStream(stream);
+            testStmt.execute("LOAD DATA LOCAL INFILE 'bogusFileName' INTO TABLE localInfileHooked CHARACTER SET "
                     + CharsetMapping.getMysqlCharsetForJavaEncoding(((MySQLConnection) this.conn).getEncoding(), (com.mysql.jdbc.Connection) this.conn));
             assertEquals(-1, stream.read());
-            this.rs = this.stmt.executeQuery("SELECT field2 FROM localInfileHooked ORDER BY field1 ASC");
+            this.rs = testStmt.executeQuery("SELECT field2 FROM localInfileHooked ORDER BY field1 ASC");
             this.rs.next();
             assertEquals("abcd", this.rs.getString(1));
             this.rs.next();
             assertEquals("efgh", this.rs.getString(1));
             this.rs.next();
             assertEquals("ijkl", this.rs.getString(1));
         } finally {
-            ((com.mysql.jdbc.Statement) this.stmt).setLocalInfileInputStream(null);
+            ((com.mysql.jdbc.Statement) testStmt).setLocalInfileInputStream(null);
+            testConn.close();
         }
     }
 }