BMC update via TFTP
Adriana Kobylak
anoo at linux.ibm.com
Wed Dec 4 06:55:13 AEDT 2019
On 2019-12-03 11:08, Gunnar Mills wrote:
> On 12/3/2019 10:12 AM, Gunnar Mills wrote:
>
>>> In BMC WebUI under "Download image file from TFTP server" section,
>>>
>>> we have text fields "TFTP Server IP address" and "File name".
>>> "File name" doesn't take folders in path. Is this a bug or
>>> expected behavior?
>>>
>>> TFTP downloads work only if file is kept in root of tftp share.
>> This is expected.
>>
> https://github.com/openbmc/phosphor-bmc-code-mgmt/blob/b0ce996ac60cf80487d71c3cdb7165d065079377/download_manager.cpp#L33
>> [1]
>
> As long as we continue to sanitize the local filename, I don't see why
> we need to limit the source file name.
> Patrick, Adriana, Any objection? Remember why we wrote it this way? I
> assume for simplicity..?
It was done for security to prevent users from specifying a file outside
the tftp directory, such as /mydir/../root/system-file.
But seems the current file name handling breaks the ability to get files
from a subdir like Raj pointed out, we should be able to fix that out,
tftp supports having a file in subdirs such as
/tftpboot/subdirectory/file, and passing /subdirectory/file to it as the
path.
>
> Thanks,
> Gunnar
>
>
> Links:
> ------
> [1]
> https://github.com/openbmc/phosphor-bmc-code-mgmt/blob/b0ce996ac60cf80487d71c3cdb7165d065079377/download_manager.cpp#L33
More information about the openbmc
mailing list