[PATCH] http: Don't leak the webvpn cookie in XML POST mode

Kevin Cernekee cernekee at gmail.com
Sun Mar 3 21:20:51 EST 2013


XML POST mode introduces a new header in the <auth> response.  Squash it
so that people don't inadvertently post logs containing webvpn cookies.

Signed-off-by: Kevin Cernekee <cernekee at gmail.com>
---
 cstp.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/cstp.c b/cstp.c
index d57d741..4896212 100644
--- a/cstp.c
+++ b/cstp.c
@@ -310,7 +310,11 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
 			return -ENOMEM;
 		}
 
-		vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);
+		/* This contains the whole document, including the webvpn cookie. */
+		if (!strcasecmp(buf, "X-CSTP-Post-Auth-XML"))
+			vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, _("<elided>"));
+		else
+			vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);
 
 		if (!strncmp(buf, "X-DTLS-", 7)) {
 			*next_dtls_option = new_option;
-- 
1.7.10.4




More information about the openconnect-devel mailing list