[PATCH] http: Don't leak the webvpn cookie in XML POST mode
Kevin Cernekee
cernekee at gmail.com
Sun Mar 3 21:20:51 EST 2013
XML POST mode introduces a new header in the <auth> response. Squash it
so that people don't inadvertently post logs containing webvpn cookies.
Signed-off-by: Kevin Cernekee <cernekee at gmail.com>
---
cstp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/cstp.c b/cstp.c
index d57d741..4896212 100644
--- a/cstp.c
+++ b/cstp.c
@@ -310,7 +310,11 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
return -ENOMEM;
}
- vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);
+ /* This contains the whole document, including the webvpn cookie. */
+ if (!strcasecmp(buf, "X-CSTP-Post-Auth-XML"))
+ vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, _("<elided>"));
+ else
+ vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);
if (!strncmp(buf, "X-DTLS-", 7)) {
*next_dtls_option = new_option;
--
1.7.10.4
More information about the openconnect-devel
mailing list