From the upstream bug:
When inserting a blob and the value turns out to be a URL, MDB2 will replace the value with a handle to the URL and the driver will fetch the URL and put its contents into the blob field instead of the URL itself literally.
A programmer using MDB2 could easily make a textarea as an input to a blob field. but if he was unaware of the situation (and LOB handling is currently not very well documented), a visitor could input a URL and the application will fetch the URL instead of storing the literal URL itself. and the URL here could be something not normally accessible to the public (when the web server
is on DMZ, it could have access to a resource behind the firewall).
or worse, it looks like it also accepts file:/ URLs. he could input something like file:///etc/passwd or file:///etc/my.cnf and the server will happily get it for him.
This is fixed in 2.5.0_alpha1 (added an option to turn lob_allow_url_include off by default)
InCVS now; and since the current stable deps won't work w/ the new dev-php/PEAR-MDB2...
Target keywords: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Target keywords: amd64 x86
Stable for HPPA.
It's information leak, but leaking the whole /etc/passwd is not nice, so voting yes.
voting YES too, request filed.
Does not affect current (2008.0) release. Removing release.