mysql
diff --git a/‎CHANGES.txt
Lines changed: 1 addition & 0 deletions b/‎CHANGES.txt
Lines changed: 1 addition & 0 deletions
diff --git a/‎mysql-connector-python/lib/mysql/connector/_decorating.py
Lines changed: 4 additions & 4 deletions b/‎mysql-connector-python/lib/mysql/connector/_decorating.py
Lines changed: 4 additions & 4 deletions
diff --git a/‎mysql-connector-python/lib/mysql/connector/_scripting.py
Lines changed: 26 additions & 2 deletions b/‎mysql-connector-python/lib/mysql/connector/_scripting.py
Lines changed: 26 additions & 2 deletions
diff --git a/‎mysql-connector-python/lib/mysql/connector/abstracts.py
Lines changed: 9 additions & 1 deletion b/‎mysql-connector-python/lib/mysql/connector/abstracts.py
Lines changed: 9 additions & 1 deletion
diff --git a/‎mysql-connector-python/lib/mysql/connector/aio/_decorating.py
Lines changed: 4 additions & 4 deletions b/‎mysql-connector-python/lib/mysql/connector/aio/_decorating.py
Lines changed: 4 additions & 4 deletions
diff --git a/‎mysql-connector-python/lib/mysql/connector/aio/abstracts.py
Lines changed: 9 additions & 1 deletion b/‎mysql-connector-python/lib/mysql/connector/aio/abstracts.py
Lines changed: 9 additions & 1 deletion
diff --git a/‎mysql-connector-python/lib/mysql/connector/aio/connection.py
Lines changed: 64 additions & 15 deletions b/‎mysql-connector-python/lib/mysql/connector/aio/connection.py
Lines changed: 64 additions & 15 deletions
@@ -12,6 +12,7 @@ v9.3.0
 ======
 
 - BUG#37453587: Github links in PyPI project's pages do not work
+- BUG#37418436: Arbitrary File Read in MySQL Python Client library
 
 v9.2.0
 ======
 
@@ -1,4 +1,4 @@
-# Copyright (c) 2009, 2024, Oracle and/or its affiliates.
+# Copyright (c) 2009, 2025, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -43,8 +43,8 @@ def cmd_refresh_verify_options() -> Callable:
     """Decorator verifying which options are relevant and which aren't based on
     the server version the client is connecting to."""
 
-    def decorator(func: Callable) -> Callable:
-        @functools.wraps(func)
+    def decorator(cmd_refresh: Callable) -> Callable:
+        @functools.wraps(cmd_refresh)
         def wrapper(
             cnx: "MySQLConnectionAbstract", *args: Any, **kwargs: Any
         ) -> Callable:
@@ -63,7 +63,7 @@ def wrapper(
                     stacklevel=1,
                 )
 
-            return func(cnx, options, **kwargs)
+            return cmd_refresh(cnx, options, **kwargs)
 
         return wrapper
 
 
@@ -1,4 +1,4 @@
-# Copyright (c) 2009, 2024, Oracle and/or its affiliates.
+# Copyright (c) 2024, 2025, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -32,7 +32,7 @@
 import unicodedata
 
 from collections import deque
-from typing import Generator, Optional
+from typing import Deque, Generator, Optional
 
 from .errors import InterfaceError
 from .types import MySQLScriptPartition
@@ -380,3 +380,27 @@ def split_multi_statement(
                 single_stmts=deque(stmts[i : len(stmts)]),
             )
         )
+
+
+def get_local_infile_filenames(script: bytes) -> Deque[str]:
+    """Scans the MySQL script looking for `filenames` (one for each
+    `LOCAL INFILE` statement found).
+
+    Arguments:
+        script: a MySQL script that may include one or more `LOCAL INFILE` statements.
+
+    Returns:
+        filenames: a list of filenames (one for each `LOCAL INFILE` statement found).
+        An empty list is returned if no matches are found.
+    """
+    matches = re.findall(
+        pattern=rb"""LOCAL\s+INFILE\s+(["'])((?:\\\1|(?:(?!\1)).)*)(\1)""",
+        string=MySQLScriptSplitter.remove_comments(script),
+        flags=re.IGNORECASE,
+    )
+    if not matches or len(matches[0]) != 3:
+        return deque([])
+
+    # If there is a match, we get  ("'", "filename", "'") , that's to say,
+    # the 1st and 3rd entries are the quote symbols, and the 2nd the actual filename.
+    return deque([match[1].decode("utf-8") for match in matches])
@@ -1,4 +1,4 @@
-# Copyright (c) 2014, 2024, Oracle and/or its affiliates.
+# Copyright (c) 2014, 2025, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -46,6 +46,7 @@
     Any,
     BinaryIO,
     Callable,
+    Deque,
     Dict,
     Generator,
     Iterator,
@@ -258,6 +259,13 @@ def __init__(self) -> None:
         self._init_command: Optional[str] = None
         self._character_set: CharacterSet = CharacterSet()
 
+        self._local_infile_filenames: Optional[Deque[str]] = None
+        """Stores the filenames from `LOCAL INFILE` requests
+        found in the executed query."""
+
+        self._query: Optional[bytes] = None
+        """The query being processed."""
+
     def __enter__(self) -> MySQLConnectionAbstract:
         return self
 
 
@@ -1,4 +1,4 @@
-# Copyright (c) 2009, 2024, Oracle and/or its affiliates.
+# Copyright (c) 2009, 2025, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -43,8 +43,8 @@ def cmd_refresh_verify_options() -> Callable:
     """Decorator verifying which options are relevant and which aren't based on
     the server version the client is connecting to."""
 
-    def decorator(func: Callable) -> Callable:
-        @functools.wraps(func)
+    def decorator(cmd_refresh: Callable) -> Callable:
+        @functools.wraps(cmd_refresh)
         async def wrapper(
             cnx: "MySQLConnectionAbstract", *args: Any, **kwargs: Any
         ) -> Callable:
@@ -63,7 +63,7 @@ async def wrapper(
                     stacklevel=1,
                 )
 
-            return await func(cnx, options, **kwargs)
+            return await cmd_refresh(cnx, options, **kwargs)
 
         return wrapper
 
 
@@ -1,4 +1,4 @@
-# Copyright (c) 2023, 2024, Oracle and/or its affiliates.
+# Copyright (c) 2023, 2025, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -50,6 +50,7 @@
     AsyncGenerator,
     BinaryIO,
     Callable,
+    Deque,
     Dict,
     Generator,
     Iterator,
@@ -287,6 +288,13 @@ def __init__(
 
         self.converter: Optional[MySQLConverter] = None
 
+        self._local_infile_filenames: Optional[Deque[str]] = None
+        """Stores the filenames from `LOCAL INFILE` requests
+        found in the executed query."""
+
+        self._query: Optional[bytes] = None
+        """The query being processed."""
+
         self._validate_connection_options()
 
     async def __aenter__(self) -> MySQLConnectionAbstract:
 
@@ -1,4 +1,4 @@
-# Copyright (c) 2023, 2024, Oracle and/or its affiliates.
+# Copyright (c) 2023, 2025, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -59,6 +59,7 @@
 )
 
 from .. import version
+from .._scripting import get_local_infile_filenames
 from ..constants import (
     ClientFlag,
     FieldType,
@@ -81,6 +82,7 @@
     WriteTimeoutError,
     get_exception,
 )
+from ..protocol import EOF_STATUS, ERR_STATUS, LOCAL_INFILE_STATUS, OK_STATUS
 from ..types import (
     BinaryProtocolType,
     DescriptionType,
@@ -219,7 +221,7 @@ async def _do_handshake(self) -> None:
         """Get the handshake from the MySQL server."""
         packet = await self._socket.read()
         logger.debug("Protocol::Handshake packet: %s", packet)
-        if packet[4] == 255:
+        if packet[4] == ERR_STATUS:
             raise get_exception(packet)
 
         self._handshake = self._protocol.parse_handshake(packet)
@@ -368,11 +370,11 @@ def _handle_ok(self, packet: bytes) -> OkPacketType:
         packet, an error will be raised. If the packet is neither an OK or an Error
         packet, InterfaceError will be raised.
         """
-        if packet[4] == 0:
+        if packet[4] == OK_STATUS:
             ok_pkt = self._protocol.parse_ok(packet)
             self._handle_server_status(ok_pkt["status_flag"])
             return ok_pkt
-        if packet[4] == 255:
+        if packet[4] == ERR_STATUS:
             raise get_exception(packet)
         raise InterfaceError("Expected OK packet")
 
@@ -393,11 +395,11 @@ def _handle_eof(self, packet: bytes) -> EofPacketType:
         packet, an error will be raised. If the packet is neither and OK or an Error
         packet, InterfaceError will be raised.
         """
-        if packet[4] == 254:
+        if packet[4] == EOF_STATUS:
             eof = self._protocol.parse_eof(packet)
             self._handle_server_status(eof["status_flag"])
             return eof
-        if packet[4] == 255:
+        if packet[4] == ERR_STATUS:
             raise get_exception(packet)
         raise InterfaceError("Expected EOF packet")
 
@@ -409,7 +411,49 @@ async def _handle_load_data_infile(
         write_timeout: Optional[int] = None,
     ) -> OkPacketType:
         """Handle a LOAD DATA INFILE LOCAL request."""
+        if self._local_infile_filenames is None:
+            self._local_infile_filenames = get_local_infile_filenames(self._query)
+            if not self._local_infile_filenames:
+                raise InterfaceError(
+                    "No `LOCAL INFILE` statements found in the client's request. "
+                    "Check your request includes valid `LOCAL INFILE` statements."
+                )
+        elif not self._local_infile_filenames:
+            raise InterfaceError(
+                "Got more `LOCAL INFILE` responses than number of `LOCAL INFILE` "
+                "statements specified in the client's request. Please, report this "
+                "issue to the development team."
+            )
+
         file_name = os.path.abspath(filename)
+        file_name_from_request = os.path.abspath(self._local_infile_filenames.popleft())
+
+        # Verify the file location specified by `filename` from client's request exists
+        if not os.path.exists(file_name_from_request):
+            raise InterfaceError(
+                f"Location specified by filename {file_name_from_request} "
+                "from client's request does not exist."
+            )
+
+        # Verify the file location specified by `filename` from server's response exists
+        if not os.path.exists(file_name):
+            raise InterfaceError(
+                f"Location specified by filename {file_name} from server's "
+                "response does not exist."
+            )
+
+        # Verify the `filename` specified by server's response matches the one from
+        # the client's request.
+        try:
+            if not os.path.samefile(file_name, file_name_from_request):
+                raise InterfaceError(
+                    f"Filename {file_name} from the server's response is not the same "
+                    f"as filename {file_name_from_request} from the "
+                    "client's request."
+                )
+        except OSError as err:
+            raise InterfaceError from err
+
         if os.path.islink(file_name):
             raise OperationalError("Use of symbolic link is not allowed")
         if not self._allow_local_infile and not self._allow_local_infile_in_path:
@@ -478,16 +522,16 @@ async def _handle_result(
         """
         if not packet or len(packet) < 4:
             raise InterfaceError("Empty response")
-        if packet[4] == 0:
+        if packet[4] == OK_STATUS:
             return self._handle_ok(packet)
-        if packet[4] == 251:
+        if packet[4] == LOCAL_INFILE_STATUS:
             filename = packet[5:].decode()
             return await self._handle_load_data_infile(
                 filename, read_timeout, write_timeout
             )
-        if packet[4] == 254:
+        if packet[4] == EOF_STATUS:
             return self._handle_eof(packet)
-        if packet[4] == 255:
+        if packet[4] == ERR_STATUS:
             raise get_exception(packet)
 
         # We have a text result set
@@ -520,9 +564,9 @@ def _handle_binary_ok(self, packet: bytes) -> Dict[str, int]:
 
         Returns a dict()
         """
-        if packet[4] == 0:
+        if packet[4] == OK_STATUS:
             return self._protocol.parse_binary_prepare_ok(packet)
-        if packet[4] == 255:
+        if packet[4] == ERR_STATUS:
             raise get_exception(packet)
         raise InterfaceError("Expected Binary OK packet")
 
@@ -545,11 +589,11 @@ async def _handle_binary_result(
         """
         if not packet or len(packet) < 4:
             raise InterfaceError("Empty response")
-        if packet[4] == 0:
+        if packet[4] == OK_STATUS:
             return self._handle_ok(packet)
-        if packet[4] == 254:
+        if packet[4] == EOF_STATUS:
             return self._handle_eof(packet)
-        if packet[4] == 255:
+        if packet[4] == ERR_STATUS:
             raise get_exception(packet)
 
         # We have a binary result set
@@ -965,6 +1009,11 @@ async def cmd_query(
             if isinstance(query, str):
                 query = query.encode()
             query = bytearray(query)
+
+        # Set/Reset internal state related to query execution
+        self._query = query
+        self._local_infile_filenames = None
+
         # Prepare query attrs
         charset = self._charset.name if self._charset.name != "utf8mb4" else "utf8"
         packet = bytearray()