Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Field "Host Description" not properly escaped for ipxe if multiline in branch working-1.6 #660

Open
osiktech opened this issue Nov 18, 2024 · 2 comments
Assignees

Comments

@osiktech
Copy link

I upgraded to working-1.6 for testing purposes.

I noticed another bug besides #655. It seems the "Host Description" field is not properly handled if the field has line breaks for multiline descriptions.

With modsecurity enabled I debugged what the webserver is sending to client.

#!ipxe
set fog-ip pxe.example.com
set fog-webroot fog
set boot-url https://${fog-ip}/${fog-webroot}
set setmacto ${net0/mac}
set hostname myhost
set description Created by FOG Reg on November 6, 2024, 2:05 pm
HP Spectre x360 Convertible 14-ea0355ng (2N2A0EA)
set imageID 4
...

Once ipxe fetches and parses the boot.php from the fogserver it fails with HP: command not found. When I changed the "Host Description" field to a single line field it works with no problem.

I am no php developer but I suspect the bug is probably in bootmenu.class starting at line 1939.

Best

@mastacontrola
Copy link
Member

Did somebody add custom code? I say this because oh no point are we sending a parameter called "description" in the code, so this is coming from somewhere else.

That said, iPXE is a very low level language. No amount of escaping or anything would fix new lines being introduced. That's what's erroring out. It seems the code is working properly, but the error is literally in the description itself. I don't believe ipxe can accept multiline statements, which is partly why we don't present the description field.

@osiktech
Copy link
Author

There where code changes between dev-branch and working-1.6 branch.

I never noticed any problems with multiline host description field when I was still using dev-branch. I am not sure if this set description is new introduced in working-1.6 branch. Like I said I am not PHP developer.

But you are right, I found no hint if there is even an option to escape or wrap newline. Looking at the iPXE script send from the fogserver to the client I am seeing no reuse of the variable description in it. Maybe you are right and it could dropped entirely?

For reference I am attaching the full iPXE script sended from the server to client. (I anonymized sensitive parts of the script)

ipxe_menu.txt

@mastacontrola mastacontrola self-assigned this Dec 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants