[syslinux] lpxelinux.0 does not set the port number in the http Host: header

Michael DeCandia michael.decandia at gmail.com
Thu Oct 8 19:47:56 PDT 2015 

Hello all,

I think I may have found a bug with the way lpxelinux.0 sends http
requests.  Specifically when I trace the requests I notice that the
Host: header does not contain the port that was used to make the
request.

Here's my scenario.  I have a python Flask app that dynamically
generates the PXE menu for kickstarts.  When I request a URL the
server responds with a file containing more URLs based on Flask's
request.url_root.  My web server is running on a non-standard port,
5550.  When my generated menu file came back I noticed that all of the
included URLs were lacking the port.  So instead of seeing the
following:

LABEL rhelresc-manual
    MENU LABEL   Red Hat Enterprise Linux 6 Rescue (HTTP - Manual)
    KERNEL
http://foo.example.com:5550/autoprov/Linux__RedHat__6Server__x86_64/vendor_media/images/pxeboot/vmlinuz
    INITRD
http://foo.example.com:5550/autoprov/Linux__RedHat__6Server__x86_64/vendor_media/images/pxeboot/initrd.img
    APPEND           root=/dev/ram0 text rescue

I received (note the missing port number on foo.example.com):

LABEL rhelresc-manual
    MENU LABEL   Red Hat Enterprise Linux 6 Rescue (HTTP - Manual)
    KERNEL
http://foo.example.com/autoprov/Linux__RedHat__6Server__x86_64/vendor_media/images/pxeboot/vmlinuz
    INITRD
http://foo.example.com/autoprov/Linux__RedHat__6Server__x86_64/vendor_media/images/pxeboot/initrd.img
    APPEND           root=/dev/ram0 text rescue


A packet trace shows the following headers when fetching
http://foo.example.com:5550/autoprov/tftpboot/pxelinux.cfg/01-00-0f-53-27-22-e0.

GET //autoprov/tftpboot/pxelinux.cfg/01-00-0f-53-27-22-e0 HTTP/1.0
Host: foo.example.com
User-Agent: Syslinux/6.03
Connection: close
Cookie: _Syslinux_ip=10.219.25.26%3A10.219.26.71%3A10.219.25.1%3A255.255.255.192;_Syslinux_BOOTIF=01-00-0f-53-27-22-e0;_Syslinux_SYSUUID=44454c4c-3200-105a-8043-c6c04f523232;_Syslinux_CPU=6PVTXL;_Syslinux_SYSVENDOR=Dell+Inc.;_Syslinux_SYSPRODUCT=PowerEdge+R630;_Syslinux_SYSSERIAL=F2ZCR22;_Syslinux_SYSSKU=SKU%3DNotProvided%3BModelName%3DPowerEdge+R630;_Syslinux_SYSFAMILY=PowerEdge;_Syslinux_MBVENDOR=Dell+Inc.;_Syslinux_MBPRODUCT=0CNCJW;_Syslinux_MBVERSION=A03;_Syslinux_MBSERIAL=.F2ZCR22.CN747514AN0076.;_Syslinux_BIOSVENDOR=Dell+Inc.;_Syslinux_BIOSVERSION=1.1.4;_Syslinux_SYSFF=23;

The web server trusts the Host: header more than I expected.  While I
feel like that's a Flask/uwsgi bug (feature?) I need to deal with,
lpxelinux.0 should still send the header as "Host:
foo.example.com:5550".  I realize that the host header is only
required as part of HTTP/1.1, and this is a HTTP/1.0 request, but it
would make sense to implement it as defined in the HTTP/1.1 spec or to
just remove it.

This was found on syslinux-6.0.3 using the official binaries.  I found
a couple of other bugs/bad behaviors too, but it's probably best if I
post those separately.


-Mike

More information about the Syslinux mailing list